diff --git a/.gitignore b/.gitignore
index f017bb5..d876c26 100644
--- a/.gitignore
+++ b/.gitignore
@@ -112,6 +112,7 @@ dmypy.json
 
 # End of https://www.gitignore.io/api/python,ansible
 env/
+ansible/.vault_pass
 ansible/galaxy_roles
 ansible/galaxy_collections
 
@@ -152,3 +153,4 @@ override.tf.json
 
 terraform/secrets.auto.tfvars
 terraform/secrets.sh
+terraform/.terraform.lock.hcl
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 449cee7..3a32cb5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -17,6 +17,5 @@ ansible:
     - chmod 0755 ansible/  # HACK: https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
     - apt-get update && apt-get install -y bash git
     - ./scripts/ansible/setup.sh
-    - chmod -x ansible/vault-pass.sh  # HACK: Pretend executable _is_ the password
   script:
     - ./scripts/ansible/lint.sh
diff --git a/README.md b/README.md
index 3f697fb..221d981 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@
 
 ### Private Settings
 
-Ansible [integrates](https://theorangeone.net/posts/ansible-vault-bitwarden/) with Bitwarden through its [CLI](https://bitwarden.com/help/article/cli/).
+The ansible vault password needs setting in `ansible/.vault_pass`.
 
 Terraform configuration needs to be placed in `terraform/secrets.auto.tfvars`.
 
diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint
index c2c7262..4858af9 100644
--- a/ansible/.ansible-lint
+++ b/ansible/.ansible-lint
@@ -1,11 +1,10 @@
 skip_list:
-  - command-instead-of-shell
-  - no-handler
-  - git-latest
+  - 305
+  - 401
+  - 301
+  - 503
 
 exclude_paths:
   - ansible/galaxy_roles/
   - ansible/galaxy_collections/
   - ~/.ansible
-  - roles/nebula/files/nebula.yml
-  - roles/traefik/files/traefik.yml
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index b3bf7cb..6ab62d9 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -6,8 +6,7 @@ roles_path = $PWD/galaxy_roles:$PWD/roles
 collections_path = $PWD/galaxy_collections
 inventory = ./hosts
 become_ask_pass = True
-interpreter_python = auto_silent
-vault_password_file = ./vault-pass.sh
+interpreter_python = auto
 
 [ssh_connection]
 pipelining = True
diff --git a/ansible/dev-requirements.txt b/ansible/dev-requirements.txt
index 02bfca2..2af2326 100644
--- a/ansible/dev-requirements.txt
+++ b/ansible/dev-requirements.txt
@@ -1,3 +1,2 @@
-ansible-lint==5.3.2
+ansible-lint==4.3.5
 yamllint==1.24.2
-ansible
diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml
index d61c3c7..873ca71 100644
--- a/ansible/galaxy-requirements.yml
+++ b/ansible/galaxy-requirements.yml
@@ -6,18 +6,15 @@ collections:
 
 roles:
   - src: geerlingguy.docker
-    version: 4.2.3
   - src: geerlingguy.ntp
-    version: 2.3.1
   - src: realorangeone.reflector
-  - src: ironicbadger.proxmox_nag_removal
-    version: 1.0.1
+  - src: https://github.com/jsclayton/ansible-role-proxmox-nag-removal
+    version: b0502ef4c371bbfb18faf85f5d869e3ffec661a8  # https://github.com/IronicBadger/ansible-role-proxmox-nag-removal/pull/15
+    name: IronicBadger.proxmox-nag-removal
   - src: chmduquesne.iptables_persistent
   - src: rossmcdonald.telegraf
-    version: v1.2.0
   - src: geerlingguy.gitlab
-    version: 3.2.0
   - src: dokku_bot.ansible_dokku
-    version: v2021.11.28
-  - src: ironicbadger.snapraid
-    version: 1.0.0
+  - src: https://github.com/RealOrangeOne/ansible-role-snapraid
+    name: IronicBadger.snapraid
+    version: 8bb040fef8ad33f01f9175f754adb750b8828b32  # https://github.com/IronicBadger/ansible-role-snapraid/pull/9
diff --git a/ansible/group_vars/all/base.yml b/ansible/group_vars/all/base.yml
index 4bea0c8..4f0e3e8 100644
--- a/ansible/group_vars/all/base.yml
+++ b/ansible/group_vars/all/base.yml
@@ -1,4 +1,4 @@
-timezone: Europe/London  # noqa var-naming
+TZ: Europe/Sofia
 
 # HACK: Some of the hostnames aren't valid dict keys
 hostname_slug: "{{ ansible_hostname | replace('-', '_') }}"
diff --git a/ansible/group_vars/all/docker.yml b/ansible/group_vars/all/docker.yml
index 684e714..1ed1cb7 100644
--- a/ansible/group_vars/all/docker.yml
+++ b/ansible/group_vars/all/docker.yml
@@ -1,6 +1,6 @@
 docker_user:
-  id: 3000
-  name: dockeruser
+  id: 9090
+  name: dockeru
 
 docker_compose_file_mask: 0664
 docker_compose_directory_mask: 0775
diff --git a/ansible/group_vars/all/hosts.yml b/ansible/group_vars/all/hosts.yml
index 59703fa..68d7e6c 100755
--- a/ansible/group_vars/all/hosts.yml
+++ b/ansible/group_vars/all/hosts.yml
@@ -1,5 +1,5 @@
 "hosts":
-  "casey_ip": "213.219.38.11"
-  "decker_ip": "192.46.233.9"
+  "casey_ip": "108.61.221.88"
+  "decker_ip": "95.179.223.50"
   "grimes_ip": "104.238.172.209"
   "walker_ip": "192.248.168.230"
diff --git a/ansible/group_vars/all/pve.yml b/ansible/group_vars/all/pve.yml
index b337803..e457c40 100644
--- a/ansible/group_vars/all/pve.yml
+++ b/ansible/group_vars/all/pve.yml
@@ -1,25 +1,15 @@
 pve_hosts:
-  internal_cidr: 10.23.1.0/24
+  internal_cidr: 192.168.1.192/26
   pve:
-    ip: 10.23.1.1
-    external_ip: 192.168.2.200
-  pve_restic:
-    ip: 10.23.1.11
-  forrest:
-    ip: 10.23.1.13
+    ip: 192.168.1.225
+#    external_ip: 192.168.2.200
   jellyfin:
-    ip: 10.23.1.101
+#    ip: 10.23.1.101
+  mouse:
+     ip: 192.168.1.222
   docker:
     ip: 10.23.1.103
-  gitlab:
-    ip: 10.23.1.106
-  gitlab_runner:
-    ip: 10.23.1.107
+  gitea:
+    ip: 192.168.1.231
   ingress:
     ip: 10.23.1.10
-  homeassistant:
-    ip: 192.168.2.203
-  qbittorrent:
-    ip: 10.23.1.105
-  renovate:
-    ip: 10.23.1.110
diff --git a/ansible/group_vars/all/traefik.yml b/ansible/group_vars/all/traefik.yml
new file mode 100644
index 0000000..e81ff56
--- /dev/null
+++ b/ansible/group_vars/all/traefik.yml
@@ -0,0 +1,11 @@
+traefik_pages_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  36613865643964363065396534373438383931323930333962653762633831383039363737386430
+  3832343537373366306162383136316365313836623236360a343936623764383264633166666139
+  37666165653938636164363765613964336663326666643537343131613133313336626266663138
+  6162326633306162650a363731663031613738333564393033333131373630383163666264663130
+  36323039363133366562626262386530616134623234623365663662643362386239643637346633
+  33383735303736336661633739623565356664386462653062313632353830323439393563386439
+  35313433666362383066303135396265393632376535396265323838376437653132393637376531
+  66643233353735353133626539346432366166303732343666333735633136313661333761653865
+  33623164306363623665613063656438303938306138336233393234663532323938
diff --git a/ansible/group_vars/all/user.yml b/ansible/group_vars/all/user.yml
index 938ba9d..d79eac9 100644
--- a/ansible/group_vars/all/user.yml
+++ b/ansible/group_vars/all/user.yml
@@ -1,3 +1,3 @@
-user: jake
+user: marto
 home: /home/{{ user }}
-name: Jake Howard
+name: Martin Dimitrov
diff --git a/ansible/group_vars/all/vault.yml b/ansible/group_vars/all/vault.yml
deleted file mode 100644
index 1ab251a..0000000
--- a/ansible/group_vars/all/vault.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-30343133373338316432396463353230353530636565643265313335353739323638326635313331
-6563393438343438363539643864636330333138323362350a303563323730393933323164363033
-65366435613762333662356239303138393033393639376438396362343838376634346432663461
-3963633862303834390a656363303732653563636135313837373731366333633430376231343036
-34393438326166613135373035653031626663383565343262376232333662323138656331373437
-39383961626432653864336465623362323934326164376561386631366261323339316265383233
-65333233333666653231343336393162633838663032313233653339373630356664383463306639
-35343166376637626437356631393030363362306634633133353534303031653363323332393934
-36666466333431663762366163396238343534373131663733666536393536323365616334376566
-37636336363437323631663334653038316333663330336562383934323930646337356231643566
-33303431616436383966323065393761313732643063376534386136343965346231666335386434
-33363138626234613937306564663861326666373865363664346231333061396464666235356439
-39373734613535626530306163643463343038666534656338626263383337656430356561356164
-65306236613832383639306363636538376334656531656666373332623463636636323638303165
-62386166626361383532636162393461343463303638303766666638376539363266663261636330
-63633039663066373234613432333561363834363363363866346537383838633231653663313135
-34356331613162336237356265326561656362646330666664343461316430343736373237616163
-35346437343634663439633935303331376239356636653136656535636631663734656431626438
-66616331303564353833653161653266623639303134656137376161356439346636373465376437
-31663063383534613638636531373761333764653266653161313231373261656134373436643366
-62633666363833636564656562353138333436653630316135663735376661663834633937393538
-37336434613362303165383139353663623231326139636365623137656134353638353862316563
-61303538663663363332303231373139653638666231356165383039353662653033613238366166
-33356236643333383335346532383065653839353133323437333264643632303230333339396665
-66663032643638616536303061366561626234346664663734306166633064323933653031306131
-39366538393533393765623131353434366535346535316139656361396538313435613338623763
-36653366636135633537643761363762383963643238646337356631353132343939633963373938
-63623265356435383731613031626261346264373330343066643965386431353362383134356630
-31313661373332643861383939633633383236626138343231383930643464343131663164396565
-32313939323235336132653566373931653738376464363136366363336466336336633463646537
-64306339653862636361376436396533643736653335316430353465396133323938373338653434
-39336562383235376336373265346230333834343566653530376334336131393332336362303834
-63363933643665383264373532303436623965633563396638356539366433396664303439353137
-65643463306134353735363838353562356265613239323264386465336232396361663938363266
-66313962613966346633303334633537376130313663343332333130626563303232316363633735
-31373862313039626262336130643139653762363165333063323661616430653332653739316661
-39363866643036613036633164343964633366653866366138323339363238363861336166373266
-64323163313661333730313437653232353564656434316364613232326237346666346166323935
-37363839653933366365393162393739656634343037623236376362666262333537653231306332
-61333166303963653563396531646631643439343039663631383664643835356337333933316533
-63633366616136396665343233336565396561333531666433336234636366666535376565303165
-33306263346633373936303661656233326263313164353334616166376666336236663534363466
-66386534633833333533323463646637383266613361643735643832383730373562353133326661
-39653137306166353265653834323961343136333765386431336461356664343061656363333535
-3035
diff --git a/ansible/group_vars/all/wireguard.yml b/ansible/group_vars/all/wireguard.yml
index 90f4f64..3a11c5d 100644
--- a/ansible/group_vars/all/wireguard.yml
+++ b/ansible/group_vars/all/wireguard.yml
@@ -4,18 +4,74 @@ wireguard:
   cidr: 10.23.0.0/24
   server:
     ip: 10.23.0.1
-    public_key: "{{ vault_wireguard_server_public_key }}"
-    private_key: "{{ vault_wireguard_server_private_key }}"
+    public_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      38663861323433663733306266313862383538613562616531656262616665393130626564666539
+      6636666561663137623166383432396163653835346335650a616139306431363934383031353161
+      63656233623963316238663366613237613165663238343937313062616565333038326664373463
+      6463623861656362350a636564363163353736613032386533613163333039336637356433633037
+      66663563666263613737336235316565663337636339613933343939323563393034353431343932
+      6339386262333134373465616637613534333839333265613563
+    private_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      39333362373534343265623337353037343238623365633863373333323166646562326234336633
+      3265653136326337306439623331393733346237326630340a346466316562643432656330313764
+      64303535663736356561623636366261343830366561343463653561343337353034626533306634
+      3334323935303734660a373961303535646336663637346137316337383132346665366336353139
+      34313137366239323361386136396666646362306538616661643164383166326335666638336230
+      6432363064313239656338356630626235336239356662326362
   clients:
     bartowski:
       ip: 10.23.0.10
-      public_key: "{{ vault_wireguard_bartowski_public_key }}"
-      private_key: "{{ vault_wireguard_bartowski_private_key }}"
+      public_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        65636435336562653438363866663238353065303132383633613539633738303461303838313332
+        3331626266336635376338636236383131333765626634310a663765363736653363366463306464
+        37633539396233333036313837363033623038386437393461316335643038383234656338646439
+        6336386563383162360a316463316539623536643235346461303463616230663964666438623837
+        39346131303535656335633034393963393632346531643133383365333161376464336338393138
+        6633386362393932323739353638383566373434643766613536
+      private_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        30656637616266383939373864643365343730396434303561336661646561333462313231373032
+        3661333939633863393166396532303065316464616466630a653733626539353263376632633766
+        61646264343332346639326239306465363033303566326638363262656363313963393637353135
+        3935663663613332370a656438663934343365343766373665643538616233366563353463336331
+        61623763306665636361643664383566373861363037386664626638666566623034633134626465
+        3831666130333133636536633539346431613863623330326430
     op7:
       ip: 10.23.0.11
-      public_key: "{{ vault_wireguard_op7_public_key }}"
-      private_key: "{{ vault_wireguard_op7_private_key }}"
+      public_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        64383363343138626533326634313735666336393632396239333037383664366661356231663335
+        6130326664303735376661353031666561333232396437350a343334333831663834353934356136
+        34306439346661326363396136396632663435633430323238393737393565313136613166313264
+        3231626438346636360a643766633130393761646433613565653765393330616136343033303166
+        37623262333037323136363732626366363036626332306437373439633762353461306436363033
+        3733613235356636323930656364646531633665616537316462
+      private_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        33376138383030336261303764626561643764633433316564613535383963636239666437363032
+        6338666632376231386430396662656130323637383461620a613534653563343363653764663734
+        64656565636133663063323163383030373366353863393661393733616231346565666531373939
+        6533393634663939350a313237386565313737346664333334653932663935653338623465383631
+        34646432373131626465653632613235363730353531363136333339383130346535313536636265
+        3631316663306563366137656364313266366237646665303362
     ingress:
       ip: 10.23.0.2
-      public_key: "{{ vault_wireguard_ingress_public_key }}"
-      private_key: "{{ vault_wireguard_ingress_private_key }}"
+      public_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        35303230376161383436623662376136623039646533323737613533346662333633303335363337
+        3662396435616535386334623563396330306432653263380a306563303664636565333537313338
+        34356331336664336362616235353136346237303263326331383137306536643438313639653938
+        3961366563356562660a303131396334626135663038633536326132623332313436363037343632
+        64613566623238393337613161333438316536633631626536393263656466316363356131623732
+        3134333035613634313934333461626531333437313835386431
+      private_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        39353738366635326164316161636531366133613439343166383030623164366361613830303232
+        3738303931386336313534303332396363366233623164660a386664353333393137623065396634
+        36333261376136313939616563326235376331636164353538626363393361313739383239613466
+        3635663664366261320a653334626366376539386232373034643235356433643934383132343439
+        33633865353337356636343562383163323039663061653763633166346566396665366434666335
+        3832346662303438633233393165343030616331353936633262
diff --git a/ansible/host_vars/decker.yml b/ansible/host_vars/decker.yml
new file mode 100644
index 0000000..39de68a
--- /dev/null
+++ b/ansible/host_vars/decker.yml
@@ -0,0 +1,11 @@
+restic_backup_locations:
+  - /opt
+  - "{{ home }}/db-backups"
+restic_healthchecks_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38326130663036353465396538356534333432393033623531393433383263383665353736653762
+  3061633438386630643536366265633262663365363539320a343134396562626136346435373163
+  33313762336136373836376133656437396139653366363666353432616433663464356532303535
+  3833323130363961620a666630313566376134313139666361366439626666393962373965386238
+  37326164393231303331616630636231316664383461346136323738616364383635313261666537
+  3162363138386335656232336666646536666266383665346634
diff --git a/ansible/host_vars/decker/main.yml b/ansible/host_vars/decker/main.yml
deleted file mode 100644
index f3e016e..0000000
--- a/ansible/host_vars/decker/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-restic_backup_locations:
-  - /opt
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
diff --git a/ansible/host_vars/decker/vault.yml b/ansible/host_vars/decker/vault.yml
deleted file mode 100644
index ce7903a..0000000
--- a/ansible/host_vars/decker/vault.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-37326662353562626466613939643162346663306230333066323231346233633561363932313364
-6636326134326435356161653231643666343432373133380a623161326465613235626236623062
-63303436626538646432323337343062376235363734623935663135666531306562616630343835
-6537356330336261360a666166366663633937326534616534316531366136613237633035383738
-38333832653935623637333437386531353831616130656532356662363765306439633464626661
-66386538336266353538356431393162373763383734633638323866396434363465303866303163
-31366566316338636239313539343465343336376435633834396239643535663563373832303331
-35643966653666653538626236663437616164653764323562346238663538396233636233326165
-62373633383539353237376130363334373936623532653538326366366261613833383734376330
-34393234393461346137336561363264613139616161333239363334346465323234376661616166
-656331326539323739626633376662613564
diff --git a/ansible/host_vars/forrest/vault.yml b/ansible/host_vars/forrest/vault.yml
deleted file mode 100644
index eacb481..0000000
--- a/ansible/host_vars/forrest/vault.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36376462326539663933303664633661303163333865656435356465373264626366336137303563
-6239643535636538636434313739303030333162613635610a643831613934643631306232613130
-65386166663136646161643133643238643033363533616664653565313463396138663839353131
-3637333263663333610a653361336264313835383239396662626462353239616165626134666663
-36386234633039653431343564653463376561306430663939663338646665616532393364363363
-38613034393265376133366232386662373634623662613762653439633931323634613838656262
-30623763366362653834636161646339393933346134613132623365656363373165323633663432
-37636538383734646363
diff --git a/ansible/host_vars/grimes/main.yml b/ansible/host_vars/grimes.yml
similarity index 58%
rename from ansible/host_vars/grimes/main.yml
rename to ansible/host_vars/grimes.yml
index 7e1bdad..67d3305 100644
--- a/ansible/host_vars/grimes/main.yml
+++ b/ansible/host_vars/grimes.yml
@@ -24,9 +24,15 @@ restic_backup_locations:
   - /var/lib/dokku/config
   - /var/lib/dokku/data
   - /var/lib/dokku/services
-  - /opt/db-auto-backup/backups
 
 restic_backup_excludes:
   - /home/dokku/**/cache  # Caches are big, don't need those
 
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
+restic_healthchecks_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  66316632623066346265613438663263636530643862353664613939323835353736613635343662
+  3433313362346338623439343962333161343134623930610a386133653939366630646537656335
+  66666633323063353464326564653362356666376331656635663863353966363434333863396463
+  3264326637306366380a383739653061343561303939363932396232323065323164653563663161
+  66646363326639333530376134343465666138656134343765663130333739313631666266636363
+  3539613535636461316461386238373730643238313435303439
diff --git a/ansible/host_vars/grimes/vault.yml b/ansible/host_vars/grimes/vault.yml
deleted file mode 100644
index 22839fb..0000000
--- a/ansible/host_vars/grimes/vault.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-35343036383263323932663736373236313935646135656437646566373637373933643631663466
-3234633065393161663761323330626230383633643865610a663064313938353131663833633534
-63353431633763313731316564363863343232623663383366386133383035343465383935626464
-3661373034663330360a653734363033663531383338343239636263626162353036333964383862
-38316636653961643638386162323466643032646663383866306565636234333431366538613930
-65376137353932393931333366373962663939656664373536653063666534653631663964366466
-61316232663430346237343165363461396661343836316137326238313437356562333038306235
-38613732356434326637383832303636666162316333366564346562656530343461326662666230
-63663535616461646539623863373631383630313533623138613530383334333939366638653131
-61666539316263396666616264636533633035393937623332653632663130326630303337643439
-336466346361336239333938636239306563
diff --git a/ansible/host_vars/pve-docker/main.yml b/ansible/host_vars/pve-docker.yml
similarity index 83%
rename from ansible/host_vars/pve-docker/main.yml
rename to ansible/host_vars/pve-docker.yml
index 3da7c38..50265cb 100644
--- a/ansible/host_vars/pve-docker/main.yml
+++ b/ansible/host_vars/pve-docker.yml
@@ -6,5 +6,3 @@ traefik_provider_grafana: true
 traefik_provider_gitlab: true
 
 with_fail2ban: true
-
-db_backups_dir: /mnt/tank/dbs/backups
diff --git a/ansible/host_vars/pve-docker/vault.yml b/ansible/host_vars/pve-docker/vault.yml
deleted file mode 100644
index b7c98ce..0000000
--- a/ansible/host_vars/pve-docker/vault.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-35383562343262633962376665646331613539666465663661376361306439366662646439376561
-6139303637323938303537313331353937636631396537630a626362383465336661636431373163
-36666665373636353263636366303064386262653038396338396532376363616236623430363431
-3965653231323338360a396635666137343865373063376639333735323434346136663636396533
-65616465633839663335666236383039356334353561343830363264353532326530326565323339
-61643637663966626264626166663639666465383063333266353064396565653564623735663939
-35646461393163633639326563353835313762353166346237383430336632353761623438353930
-61333536343662396331
diff --git a/ansible/host_vars/pve.yml b/ansible/host_vars/pve.yml
new file mode 100644
index 0000000..5bce9c3
--- /dev/null
+++ b/ansible/host_vars/pve.yml
@@ -0,0 +1,59 @@
+private_ip: "{{ pve_hosts.pve.ip }}"
+
+zpools_to_scrub:
+  - tank
+  - rpool
+
+# 7GB, or so
+zfs_arc_size: 7000000000
+
+sanoid_datasets:
+  tank:
+    use_template: production
+    recursive: true
+    process_children_only: true
+
+  rpool:
+    use_template: production
+    recursive: true
+
+# Snapraid
+snapraid_install: false
+snapraid_runner: false
+
+snapraid_data_disks:
+  - path: /mnt/bulk
+    content: true
+snapraid_parity_disks:
+  - path: /mnt/parity
+    content: true
+
+snapraid_content_files:
+  - /mnt/tank/files/snapraid.content
+  - /var/snapraid.content
+
+snapraid_config_excludes:
+  - "*.unrecoverable"
+  - /lost+found/
+  - "*.!sync"
+  - /tmp/
+
+snapraid_scrub_schedule:
+  hour: 5
+  weekday: 4
+snapraid_scrub_healthcheck_io_uuid: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  39306266626437303331656561323032666232616430383534306464396437363436643234353862
+  3061373137353131353139383862326166643230323564370a383636353035316538623661303331
+  37383836636330663335336633333464623938626365373935346538633638613931653338376638
+  6161313231343164370a363031353365336131333337336531346539383131363034376236303332
+  66313661636635633631376163656235373034343637313161393633353866643662353639623062
+  3465366462363062363438666237306538363234613862666238
+snapraid_sync_healthcheck_io_uuid: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63303862326336613366333136633633613864663364616235346632303033303339316635363863
+  3134646236636663396663363835323130666665643935630a376437613131373338623237393761
+  62303731373138366136323432316261396232386365636635316637643031386138653936636234
+  6639323030383330310a623234333235323536313534643736666237666265393533343736316466
+  30643363653761336364323331663037643030313962656339646661336534396337353761393738
+  6563613764353932633962343261643832656637613961373333
diff --git a/ansible/host_vars/pve/main.yml b/ansible/host_vars/pve/main.yml
deleted file mode 100644
index dbc0645..0000000
--- a/ansible/host_vars/pve/main.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-private_ip: "{{ pve_hosts.pve.ip }}"
-
-zpools_to_scrub:
-  - tank
-  - rpool
-
-# 5GB, or so
-zfs_arc_size: 5000000000
-
-sanoid_datasets:
-  tank:
-    use_template: production
-    recursive: true
-    process_children_only: true
-
-  rpool:
-    use_template: production
-    recursive: true
-
-sanoid_templates:
-  production:
-    frequently: 2
-    hourly: 48
-    daily: 28
-    monthly: 3
-    yearly: 0
-    autosnap: true
-    autoprune: true
-
-  replaceable:
-    frequently: 0
-    hourly: 24
-    daily: 7
-    monthly: 0
-    yearly: 0
-    autosnap: true
-    autoprune: true
-
-
-# Snapraid
-snapraid_install: false
-snapraid_runner: false
-
-snapraid_data_disks:
-  - path: /mnt/bulk
-    content: true
-snapraid_parity_disks:
-  - path: /mnt/parity
-    content: true
-
-snapraid_content_files:
-  - /mnt/tank/files/snapraid.content
-  - /var/snapraid.content
-
-snapraid_config_excludes:
-  - "*.unrecoverable"
-  - /lost+found/
-  - "*.!sync"
-  - /tmp/
-
-snapraid_scrub_schedule:
-  hour: 5
-  weekday: 4
-
-snapraid_scrub_healthcheck_io_uuid: "{{ vault_snapraid_scrub_healthcheck_io_uuid }}"
-snapraid_sync_healthcheck_io_uuid: "{{ vault_snapraid_sync_healthcheck_io_uuid }}"
diff --git a/ansible/host_vars/pve/vault.yml b/ansible/host_vars/pve/vault.yml
deleted file mode 100644
index 8434467..0000000
--- a/ansible/host_vars/pve/vault.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-35373139393931313861616335663835396132626632363635316430306539666631393230323539
-3830333131633532343962376562663463656235333137340a343536626237306465646661656566
-32346535633838386137383238336130663639633266366137353739633062313730333963626462
-3436633035396461630a313433343330303434396665313536656462306166623636633731353937
-33366265383932343231386438633432623263316363623032356662393538346234326238333130
-64326434393165653134386631636165303836323763636532303562326238366638333063636135
-33303866383934393961363933316433623637656264333531623034383337343231323361383363
-63623264626537363832623662313533326230326665363161643931306338363831343566353839
-39363562366430383461396232653531626131386234643731643463616563363334636365353934
-66643561326566613364653363313763356662623066326232653938373135313561386636313264
-31633938363863633866336435396239346266343662356231376161363763666332306330393337
-64373933396136386366
diff --git a/ansible/host_vars/restic.yml b/ansible/host_vars/restic.yml
new file mode 100644
index 0000000..6c5ae4b
--- /dev/null
+++ b/ansible/host_vars/restic.yml
@@ -0,0 +1,20 @@
+restic_backup_locations:
+  - /mnt/tank
+restic_healthchecks_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  61343535336633643231356138356631663130313234343538366634393661666232303965643365
+  3735323363366366303366336163623334316638653164610a633735316466336637346666666536
+  64323361653034303033383333333037346637343865636634386533653337363936386130396265
+  3134623162393034370a383737386434653036373639636631363233623232383936313264656539
+  62376636326332386330663432306135313938623134383239373435666666356538363639323333
+  3264386632376261666566373032363261643961376635336131
+
+restic_forget: true
+restic_forget_healthchecks_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  35356435623338613263633563623834376461643133386432366666373336373637326637626538
+  3264323338323034613633346431363362656362303530650a303861343438643232396436383065
+  34366236343664616566646564616532643066353732616566343665306464353637613362373837
+  6135323461646234360a383039623663333761343439636332323139616365313865666261336162
+  65663363666165313065323939653530613234613139316436343839356262363666373262366539
+  6666333133626561636638326335353135313637393033313138
diff --git a/ansible/host_vars/restic/main.yml b/ansible/host_vars/restic/main.yml
deleted file mode 100644
index 49e08ca..0000000
--- a/ansible/host_vars/restic/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-restic_backup_locations:
-  - /mnt/host/mnt/tank
-  - /mnt/host/etc/pve
-  - /mnt/home-assistant
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
-
-restic_forget: true
-restic_forget_healthchecks_id: "{{ vault_restic_forget_healthchecks_id }}"
diff --git a/ansible/host_vars/restic/vault.yml b/ansible/host_vars/restic/vault.yml
deleted file mode 100644
index cb262ed..0000000
--- a/ansible/host_vars/restic/vault.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31333338396531316366353161666432346634373335356464663837386231616632373833656130
-3361383732623965393533316366373864323064393530330a346565393462316561383733653437
-62363736356432363239373863303734323437333034343266313135383866303566396639646230
-3839333535393036390a383534346233633935393561353637353835663763343531613238653664
-39356365306630373036396132373562646130636439373964333363306431666565613434646365
-64353933656365653431386463623034643564303266396438353064373434336436366431366338
-31386637376165633731373633656336623531323965343534323031363163356239353031643165
-37663232636234663735613037666161393736663432656139646264313763303164386161626162
-65393363336435333738303061613738636666303961653361376131376161623264343666353061
-61663636656339363539666335643239653361383961333665646562613935396335623565306531
-643165653537326431373637303639343763
diff --git a/ansible/host_vars/walker.yml b/ansible/host_vars/walker.yml
new file mode 100644
index 0000000..6a501e1
--- /dev/null
+++ b/ansible/host_vars/walker.yml
@@ -0,0 +1,13 @@
+with_traefik_pages: true
+
+restic_backup_locations:
+  - /opt
+  - "{{ home }}/db-backups"
+restic_healthchecks_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  30663732643431326232366364373238653263613039373232663563303334326137376663373366
+  6136306335363665313133623531643736653934323034620a346461633634633932343936376361
+  36386539376630333361336664616238363532643764616137666435336366373962396336633835
+  6338343236636637620a643137396563333862376464333461376535663938313034323236653334
+  34393364666562303630396333663463363735353134313161303062373433393731373461383634
+  6266613466303865333834616630626337383735323566336639
diff --git a/ansible/host_vars/walker/main.yml b/ansible/host_vars/walker/main.yml
deleted file mode 100644
index d01eb67..0000000
--- a/ansible/host_vars/walker/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-with_traefik_pages: true
-
-restic_backup_locations:
-  - /opt
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
diff --git a/ansible/host_vars/walker/vault.yml b/ansible/host_vars/walker/vault.yml
deleted file mode 100644
index 90dcecb..0000000
--- a/ansible/host_vars/walker/vault.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65616232306563653238306536316238353432656365303665343830323833376436303231646230
-6633613632646639326266333639663734326135373165660a616534353763643737646363363635
-35316462343935666362313735376164343238313564366232346330313565613039643735626535
-3335366566303730640a656665323266386430383263326161376435663062353763396264316462
-62663166326262633437643065396132326366646331323330316565626637656632643162636563
-63623563386164333638633638633061616266316333336133313166373639643633643631386136
-39633565343862333134323737393761323365636534303863646233646639636437656335633836
-66356237386162316365376238343430373866623463633635383634383336393264363364663139
-32613761643030343764396339386538333663376633646332613330373838343137373833643235
-61303762336132326339363366623231366565316139383561656364376564336230346533323638
-626365336439666234343531666266646437
diff --git a/ansible/hosts b/ansible/hosts
index f58da32..6ef7902 100644
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -1,17 +1 @@
-casey
-walker
-grimes
-decker
-
-pve
-
-# PVE VMs
-ingress
-pve-docker
 jellyfin
-forrest
-qbittorrent
-restic
-pve-gitlab
-pve-gitlab-runner
-renovate
diff --git a/ansible/main.yml b/ansible/main.yml
index 3c711b5..aabb00e 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -9,12 +9,12 @@
     - gateway
     - nebula
     - fail2ban_ssh
-    - wireguard_53
 
 - hosts:
     - pve
     - casey
     - ingress
+    - qbittorrent
     - walker
     - grimes
     - decker
@@ -22,17 +22,12 @@
     - role: geerlingguy.ntp
       become: true
       vars:
-        ntp_timezone: "{{ timezone }}"
+        ntp_timezone: "{{ TZ }}"
         ntp_manage_config: true
 
 - hosts:
-    - pve-docker
-    - forrest
-    - walker
-    - pve-gitlab-runner
-    - grimes
-    - decker
-    - renovate
+    - jellyfin
+    - ingress
   roles:
     - role: geerlingguy.docker
       become: true
@@ -44,18 +39,7 @@
     - docker_cleanup
 
 - hosts:
-    - pve-docker
-    - forrest
-    - walker
-    - grimes
-    - decker
-  roles:
-    - db_auto_backup
-
-- hosts:
-    - pve-docker
-    - walker
-    - decker
+    - ingress
   roles:
     - traefik
 
@@ -78,12 +62,12 @@
 
 - hosts: pve
   roles:
-    - role: ironicbadger.proxmox_nag_removal
+    - role: IronicBadger.proxmox-nag-removal
       become: true
     - zfs
     - pve_nebula_route
     - telegraf
-    - role: ironicbadger.snapraid
+    - role: IronicBadger.snapraid
       become: true
 
 - hosts: forrest
@@ -131,7 +115,3 @@
     - nebula
     - restic
     - uptime_kuma
-
-- hosts: renovate
-  roles:
-    - renovate
diff --git a/ansible/roles/base/files/ssh-keys/mobile.pub b/ansible/roles/base/files/ssh-keys/mobile.pub
deleted file mode 100644
index c832a6e..0000000
--- a/ansible/roles/base/files/ssh-keys/mobile.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQCEi0j/PvJFyMx9S4zDX9Ornxyr89JrUmBZLXj38XNIUHyckmpSm/oSurmzQnDBAp16oiDw+U0zGkSB8BKDkhM2hqYOb8GUsuri85Hu/hvUyiFIEsSNNC0bcrImqHYPE0tiNoDbJ6hlz+eelIdqj5kmnGh8V91QIi9nQz2DkR2j8j8HVjXExI2w5c5p2yuqdNNU1p4BTkeKirLHrQIstiWlOpfbtPAh6Wp597NO1Rp9YuMp0/dpS0W4ebm0h5iYvVwXYcXShA1zINCrWYEAGFSeG2iDqBY9vYzOU5pZDkRn2Ewl/2+EQ34GDDbjCZ7mn7siJmN0M1oNpygphPxjAKR95Zidvsyvs9iX0ua+c35f4z9YsVizsIVbouj3LT4c43WwcS1XWPRCit5gFHbpUNRzs0ypwIUwR9AF3mCkYlqYmpSJyfLcdPZwZPhJYxd2MzhquQ+CS+eXfhYEiioD6KvNL8ehsuJmSQtPm4vTXuipfseOdh1GtakDH9wDRTs+THgoNPc9K2ozbo6bofMOvfO2ZvqYeC4Vb5mTeHkeKBB1XU8FCrKBJTCZZ67LSxCBM2liemEHaklbl4H50xGxOWbtL1ZMEd4gkKF8TduO9vEPge9AUbbtZSDrvXgi+QPUrzF2iuk85OKWZOcz0ObWOXaL0dMI87SZTguu0SR3VtCYGCeKqh7HFfA3AO7Bq1AmKZLnWXVqQHjUp56TgVugj86B80zE1AOrbDac1qScT8dG9KpM4nP+ewmIsrl/a16NaAfcit+UPeTSA8MNDAV0xUbAIyt7Mka7Qeuln+EHeZNenJ5VkpTYdyxwpq2FOXgrbfLz7y4pqBVF/lPDy/gyhFEIoFsqIp7si7ve1O8vZyRcsypT9j4HNSpy07+kG1V3BPnTBY3+YSq9lRTtVfAQQZdI8/a43cUzP4j8Czbri3fYvUsEb0ml9AViRZEZhGLcHETiOy50dJkHQm+OcGpIgA71zFp7qfVBX/OW7/+jeAboz8WHYSlHPbjpiD6d22rVW9svbOMli3tDe2bIZm9qeJRcU/0gCO7dKHSqkiJk0l27Io5wNRP9KY7OdOp0uC0RtgpSxFHS4U3fnOuRbKk5PxGSUNgCCn4iUcboFRu0gXaIRBXs4Lbw2ivwx492sk5XDax5YZ33dm6quqOh2n/f16X80/vKRrXxAuN3vbDXOTdVzHkrVF/vTSl8eHqunSidHpe5ID4d82qjyrHJL+0q870FacVOXRIxUsmOtG+f0RXcFENGPTdz4KjoBPcUv8u+z+01jgXOzbpFGXZ8PzqQVuRPlf874kR8SrYUY76LqdubDy9cROj47ThKwriuthYpDipFQNk7fz+qvh95WRjqt/fz Mobile
diff --git a/ansible/roles/base/files/ssh-keys/mouse.pub b/ansible/roles/base/files/ssh-keys/mouse.pub
new file mode 100644
index 0000000..fa76083
--- /dev/null
+++ b/ansible/roles/base/files/ssh-keys/mouse.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxVkfuW/eiTR0cNw5h/SSYdqrPBVfwpvedVwTi4qV+TuoizvLqRK+VDAJyBENeeiMOK5LLHhWDFJXOZtznjTNRPLeWvH7zYq1djriYZc+F8XUG/v++uihtQHs5h6xwMZZnxGK7EpIm2DjuhSIwS+jW8uJaAt4ovrZWd1QXEUVulfOx+O7qdITifffssE7yRRCMOHilIGujm5MOCBzjX2E3yx7UDgHx4WCAKRaN4YBP+qMoJ96H0ZKc+jnXhFQcHInA2zXaslRiGtlbz0Hj5EWLEc2LchT4hgs+2zORyPSO+LMrkQfoJGvUI1KvwQ8/6mok8fBfZE8rN/sCQtxxbNpFk/+tmht4tZ5M3TCZ5jcKeNzUDWdcxD4w+TIi9yRRKGTjk0GsEM+SlQw3zcEfPk1KpDnug/WjsFUdpno1c2Zw+J7KglwaAaIsje9FwUhgLQrYzNE5pfD0xepYCl5cU2Llb/yl65NYR3YhZI3ByE9RqzdQIHU/gnz/yWMnCsNI8zE= marto@cappuccino
diff --git a/ansible/roles/base/files/ssh-keys/ps.pub b/ansible/roles/base/files/ssh-keys/ps.pub
deleted file mode 100644
index 7a8683f..0000000
--- a/ansible/roles/base/files/ssh-keys/ps.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbd96S1+SBBdoGfWIGj+5Wa7B16iwUhmmMVz+7QLmYF7fgS98yBzBqd4pTVW0dDf6mmNWMpTo5eNGNys7t9roGTzeIIVA3XOnPgAR1WX03u5c3XnZp4ax2FNq3Q2nYvyu8XUqy81P1yR93fjs49tMs6OAeqWV08xMdE6Y21ewdRti3+zfjKN5RVwHzQa8l6P5tKqMi409KOma/FpepJyLlhdSh6UQBhy+wZHOIwMgRzv9fAV/R1+xsiUDyLZi3Q8yqrTTohARaDAc20yUKJC0x38wx1U4nKJR0O6fzn6aBpulKwAE/7qpp+oSzEYJES1ATaglrZ/M0h58euNDfNcxOl9XVAvG2ZJjlC9VwIu6R7YtpIFVRERKUKJbn+NnN2iheDjsIkm6mX3uvOMq6aCVIuBU6aDatTDXC3lXXzxBHOc5iU9FrvQe1olePNhhhd1kl7jy7eanOq9EqEvhFIpPGrVOPm37M4MY6bCoH7+YgWTgxAR1O7KYsKEaoJcVq5dJxC3Gsj49WdCw2OUguCZl/FPscRnHgCTNGPdimeXaxGnSdSw2LCxDGq90RquQAnLuFmiCp5M1ouI+234BpD6trE85sshnpWo5WW8jt5yvlYV3o4L4OtqWLhTh7O0ORUEwQbFmA1FXoWVwn5S0S+PzMOxaw1jv9OZAPESWw+Twtiw== jake@TOO-Portable
diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml
index ad3add7..1aceee3 100644
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -1,14 +1,8 @@
 - name: Packages
-  include_tasks: packages.yml
+  include: packages.yml
 
 - name: User
-  include_tasks: user.yml
+  include: user.yml
 
 - name: SSH
-  include_tasks: ssh.yml
-
-- name: fail2ban
-  include_tasks: fail2ban.yml
-
-- name: logrotate
-  include_tasks: logrotate.yml
+  include: ssh.yml
diff --git a/ansible/roles/base/tasks/packages.yml b/ansible/roles/base/tasks/packages.yml
index 3b90110..9818fcf 100644
--- a/ansible/roles/base/tasks/packages.yml
+++ b/ansible/roles/base/tasks/packages.yml
@@ -11,3 +11,4 @@
     - sudo
     - vim
     - git
+    - ca-certificates
diff --git a/ansible/roles/base/tasks/ssh.yml b/ansible/roles/base/tasks/ssh.yml
index c1ea135..c44f846 100644
--- a/ansible/roles/base/tasks/ssh.yml
+++ b/ansible/roles/base/tasks/ssh.yml
@@ -12,7 +12,7 @@
 
 - name: Define context
   set_fact:
-    user: jake
+    user: marto
     enable_root: false
 
 - name: SSH config
@@ -20,7 +20,7 @@
     src: files/sshd_config
     dest: /etc/ssh/sshd_config
     validate: /usr/sbin/sshd -t -f %s
-    backup: true
+    backup: yes
     mode: 0644
   become: true
   register: sshd_config
@@ -31,8 +31,7 @@
     state: present
     key: "{{ lookup('file', item) }}"
   loop:
-    - ssh-keys/ps.pub
-    - ssh-keys/mobile.pub
+    - ssh-keys/mouse.pub
 
 - name: Enable SSH
   service:
diff --git a/ansible/roles/base/tasks/user.yml b/ansible/roles/base/tasks/user.yml
index 120b1e0..062836f 100644
--- a/ansible/roles/base/tasks/user.yml
+++ b/ansible/roles/base/tasks/user.yml
@@ -8,8 +8,7 @@
   become: true
 
 - name: Give user sudo access
-  user:
-    name: "{{ user }}"
-    groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
-    append: true
+  lineinfile:
+    path: /etc/sudoers
+    line: "{{ user }} ALL=(ALL) ALL"
   become: true
diff --git a/ansible/roles/base/vars/main.yml b/ansible/roles/base/vars/main.yml
index df90549..515d52c 100644
--- a/ansible/roles/base/vars/main.yml
+++ b/ansible/roles/base/vars/main.yml
@@ -1 +1 @@
-ssh_port: 7743
+ssh_port: 22
diff --git a/ansible/roles/db_auto_backup/defaults/main.yml b/ansible/roles/db_auto_backup/defaults/main.yml
deleted file mode 100644
index a766fd8..0000000
--- a/ansible/roles/db_auto_backup/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-db_backups_dir: ./backups
diff --git a/ansible/roles/db_auto_backup/files/docker-compose.yml b/ansible/roles/db_auto_backup/files/docker-compose.yml
deleted file mode 100644
index bdd7f47..0000000
--- a/ansible/roles/db_auto_backup/files/docker-compose.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-version: "2.3"
-
-services:
-  backup:
-    image: ghcr.io/realorangeone/db-auto-backup:latest
-    restart: unless-stopped
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - "{{ db_backups_dir }}:/var/backups"
-    environment:
-      - HEALTHCHECKS_ID={{ db_auto_backup_healthchecks_id }}
diff --git a/ansible/roles/db_auto_backup/handlers/main.yml b/ansible/roles/db_auto_backup/handlers/main.yml
deleted file mode 100644
index e1be2cc..0000000
--- a/ansible/roles/db_auto_backup/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: restart db-auto-backup
-  shell:
-    chdir: /opt/db-auto-backup
-    cmd: "{{ docker_update_command }}"
diff --git a/ansible/roles/db_auto_backup/tasks/main.yml b/ansible/roles/db_auto_backup/tasks/main.yml
deleted file mode 100644
index cc6fd8c..0000000
--- a/ansible/roles/db_auto_backup/tasks/main.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Create install directory
-  file:
-    path: /opt/db-auto-backup
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-  become: true
-
-- name: Install compose file
-  template:
-    src: files/docker-compose.yml
-    dest: /opt/db-auto-backup/docker-compose.yml
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-    validate: docker-compose -f %s config
-  notify: restart db-auto-backup
-  become: true
diff --git a/ansible/roles/db_auto_backup/vars/main.yml b/ansible/roles/db_auto_backup/vars/main.yml
deleted file mode 100644
index afa6846..0000000
--- a/ansible/roles/db_auto_backup/vars/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}"
diff --git a/ansible/roles/docker_cleanup/files/docker-utils/db-backup b/ansible/roles/docker_cleanup/files/docker-utils/db-backup
new file mode 100755
index 0000000..11ac011
--- /dev/null
+++ b/ansible/roles/docker_cleanup/files/docker-utils/db-backup
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+BACKUP_DIR=$1
+
+if [ -z "$BACKUP_DIR" ]
+  then
+    echo "No backup dir"
+fi
+
+all_containers=$(docker ps --format "{{.ID}}:{{ .Image }}")
+
+for line in $all_containers
+do
+    IFS=':' read -a container_details <<< $line
+
+    container_name=${container_details[1]}
+    container_id=${container_details[0]}
+
+    case "$container_name" in
+    "mariadb")
+        db_name=$(docker exec $container_id bash -c 'echo $MYSQL_USER')
+        echo Backing up mariadb $db_name
+        docker exec $container_id bash -c 'mysqldump -u $MYSQL_USER -p$MYSQL_PASSWORD --all-databases' | pv > $BACKUP_DIR/$db_name.sql
+        ;;
+
+    "postgres")
+        db_name=$(docker exec $container_id bash -c 'echo $POSTGRES_USER')
+        echo Backing up postgres $db_name
+        docker exec $container_id bash -c 'PGPASSWORD=$POSTGRES_PASSWORD pg_dumpall -U $POSTGRES_USER' | pv > $BACKUP_DIR/$db_name.sql
+        ;;
+    "yandex/clickhouse-server")
+        # Hardcode for plausible
+        tables=$(docker exec $container_id clickhouse-client --query "SELECT name FROM system.tables where database == 'plausible';")
+        for table in $tables
+        do
+            echo Backing up clickhouse table $table
+            docker exec $container_id clickhouse-client --query "SELECT * FROM plausible.$table" --format CSVWithNames | pv > $BACKUP_DIR/plausible-$table.csv
+        done
+        ;;
+
+    esac
+done
+
+echo "Setting user permissions..."
+chown -R root:root $BACKUP_DIR
diff --git a/ansible/roles/pve_docker/files/nextcloud/occ b/ansible/roles/docker_cleanup/files/docker-utils/occ
similarity index 100%
rename from ansible/roles/pve_docker/files/nextcloud/occ
rename to ansible/roles/docker_cleanup/files/docker-utils/occ
diff --git a/ansible/roles/docker_cleanup/tasks/main.yml b/ansible/roles/docker_cleanup/tasks/main.yml
index 356f74f..ef8c765 100644
--- a/ansible/roles/docker_cleanup/tasks/main.yml
+++ b/ansible/roles/docker_cleanup/tasks/main.yml
@@ -49,5 +49,5 @@
     directory_mode: 0755
 
 - name: override docker service for zfs dependencies
-  include_tasks: zfs-override.yml
+  include: zfs-override.yml
   when: docker_zfs_override
diff --git a/ansible/roles/fail2ban_ssh/files/f2b_key.pub b/ansible/roles/fail2ban_ssh/files/f2b_key.pub
deleted file mode 100644
index faf3950..0000000
--- a/ansible/roles/fail2ban_ssh/files/f2b_key.pub
+++ /dev/null
@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65656562376262323162613131353164623832616263313530383838623161333739393037363362
-3332616430663862363566613532396230643636376537620a356261383430643566323264343437
-39333034643632316130303136326433613333383738386531353530633539616661626664626430
-3230666237616165650a326536313835643135626135316437356363623562343538383132306539
-38366339356565393336396133616261363232356139623164623738633138363963353637353734
-33333334313864376131653535653132626366306630393764353464636331316564616230396663
-31363463643765386538643761666265383166353765633233323934663235316331346465653234
-31396139633936363738383766356135656434343338623137663436626436663866366663363534
-3364
diff --git a/ansible/roles/fail2ban_ssh/tasks/main.yml b/ansible/roles/fail2ban_ssh/tasks/main.yml
index e8e9226..5da9cc7 100644
--- a/ansible/roles/fail2ban_ssh/tasks/main.yml
+++ b/ansible/roles/fail2ban_ssh/tasks/main.yml
@@ -25,10 +25,3 @@
     mode: 0755
   become: true
   register: sshd_config
-
-- name: Set up authorized keys
-  ansible.posix.authorized_key:
-    user: "{{ f2b_user }}"
-    state: present
-    key: "{{ lookup('file', 'files/f2b_key.pub') }}"
-  become: true
diff --git a/ansible/roles/forrest/files/grafana/docker-compose.yml b/ansible/roles/forrest/files/grafana/docker-compose.yml
index 8519d2a..fca7e94 100644
--- a/ansible/roles/forrest/files/grafana/docker-compose.yml
+++ b/ansible/roles/forrest/files/grafana/docker-compose.yml
@@ -4,7 +4,7 @@ services:
   grafana:
     image: grafana/grafana:latest
     environment:
-      - TZ={{ timezone }}
+      - TZ={{ TZ }}
       - GF_DATABASE_URL=postgres://grafana:grafana@db/grafana
       - GF_RENDERING_SERVER_URL=http://renderer:8081/render
       - GF_RENDERING_CALLBACK_URL=http://grafana:3000/
@@ -30,7 +30,7 @@ services:
       - renderer
 
   db:
-    image: postgres:14-alpine
+    image: postgres:12-alpine
     restart: unless-stopped
     volumes:
       - /mnt/tank/dbs/postgres/grafana/:/var/lib/postgresql/data
@@ -42,7 +42,7 @@ services:
     image: grafana/grafana-image-renderer:latest
     restart: unless-stopped
     environment:
-      - BROWSER_TZ={{ timezone }}
+      - BROWSER_TZ={{ TZ }}
 
 
 networks:
diff --git a/ansible/roles/forrest/tasks/main.yml b/ansible/roles/forrest/tasks/main.yml
index 687e326..bc350b9 100644
--- a/ansible/roles/forrest/tasks/main.yml
+++ b/ansible/roles/forrest/tasks/main.yml
@@ -1,8 +1,5 @@
-- name: Include vault
-  include_vars: vault.yml
-
 - name: Grafana
-  include_tasks: grafana.yml
+  include: grafana.yml
 
 - name: Prometheus
-  include_tasks: prometheus.yml
+  include: prometheus.yml
diff --git a/ansible/roles/forrest/vars/main.yml b/ansible/roles/forrest/vars/main.yml
index 7b8b8f8..7955bd9 100644
--- a/ansible/roles/forrest/vars/main.yml
+++ b/ansible/roles/forrest/vars/main.yml
@@ -1,3 +1,21 @@
-grafana_smtp_password: "{{ vault_grafana_smtp_password }}"
-grafana_smtp_user: "{{ vault_grafana_smtp_user }}"
-grafana_from_email: "{{ vault_grafana_from_email }}"
+grafana_smtp_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  30316563333931376361643430343463636266636464303536356166623062633236323331363465
+  3039666538633165616139663764343031316339666565390a663934313165306631303162373864
+  36383262386365386664613431373863333963326538633535336139383433316465356236666466
+  6530386564313761300a346239646234353631386530663931613861313664666633346237313863
+  31623136616236363235666634303434383866346462643731346532646561656236
+grafana_smtp_user: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  33613266323466316166643631393938653439383333343736313061393261366662663238303035
+  6132346334343863633232303863636230333962316633650a616661346634646666636439323032
+  63633936336361303635323064666637396335626136613431366161653062303534386637656666
+  6630623330613439640a613863326331656235313164663736643539373934636633383430346365
+  39356331376364373931393365646630316566353662356532383034616439393237
+grafana_from_email: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  62613637623430356637343861326237366162626435306336376461643062643265363438666366
+  3932333666346338366334303564343064323862373930390a333162636231663961386532326264
+  65626435353036663938356330303564346137363961313236636263333238313166656231353931
+  6161633634636337320a396661373963623661363162643161393033653032623432323536306630
+  39346665653031316261346636336566343563373165653763643831313234356532
diff --git a/ansible/roles/forrest/vars/vault.yml b/ansible/roles/forrest/vars/vault.yml
deleted file mode 100644
index 874f9de..0000000
--- a/ansible/roles/forrest/vars/vault.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-39626534366162623533633336393263363933636563323938643564666332633662363563636265
-6562343564353338346438643861336563363837633462330a383764653037346165633064323863
-36626537373632626265336337366232663239666238353233393463353866653934356634613837
-6636666432323837330a313434396632316335363561346465636563356462313864633464373533
-64323335393665383634613233613230393139303561393335373736303135333666613062616363
-31383064386339323232306337396164346566306632356531616663376264303031633862636232
-61393036353464623939313839626334363135356135663037613436643634326339633264376434
-62656436636532623030333961653961613163623335303831346161323731663031306566303462
-64623263646666666333343062623434636533303539323365333932313734643036356363623462
-61303430373166613466613164623534663236353762613565306662623831343335656363316138
-336538346664316633303764643961373639
diff --git a/ansible/roles/gateway/files/nginx.conf b/ansible/roles/gateway/files/nginx.conf
index 3f53ada..4cbd321 100644
--- a/ansible/roles/gateway/files/nginx.conf
+++ b/ansible/roles/gateway/files/nginx.conf
@@ -36,17 +36,15 @@ stream {
 
     log_format access '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
-                    '$session_time "$ssl_preread_server_name" '
+                    '$session_time "$upstream_addr" '
                     '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
-    log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
+    log_format ips '$remote_addr [$time_local] $upstream_addr';
 
 
     access_log /var/log/nginx/access.log access;
     access_log /var/log/nginx/ips.log ips;
 
-    ssl_preread on;
-
     server {
         listen 443;
         listen 8448;
diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml
index c77f6fb..2231577 100644
--- a/ansible/roles/gateway/tasks/main.yml
+++ b/ansible/roles/gateway/tasks/main.yml
@@ -1,8 +1,8 @@
 - name: Configure Nginx
-  include_tasks: nginx.yml
+  include: nginx.yml
 
 - name: Configure wireguard
-  include_tasks: wireguard.yml
+  include: wireguard.yml
 
 - name: Configure fail2ban
-  include_tasks: fail2ban.yml
+  include: fail2ban.yml
diff --git a/ansible/roles/gateway/tasks/wireguard.yml b/ansible/roles/gateway/tasks/wireguard.yml
index 5b15893..e5da01d 100644
--- a/ansible/roles/gateway/tasks/wireguard.yml
+++ b/ansible/roles/gateway/tasks/wireguard.yml
@@ -1,17 +1,9 @@
-- name: Install wireguard tools
-  package:
-    name: "{{ item }}"
-  become: true
-  loop:
-    - wireguard-tools
-    - qrencode
-
 - name: Wireguard server config
   template:
     src: files/wireguard-server.conf
     dest: /etc/wireguard/wg0.conf
     mode: "0600"
-    backup: true
+    backup: yes
   become: true
   register: wireguard_conf
 
@@ -49,8 +41,16 @@
   sysctl:
     name: net.ipv4.ip_forward
     value: "1"
-    sysctl_set: true
+    sysctl_set: yes
     state: present
-    reload: true
+    reload: yes
     sysctl_file: /etc/sysctl.d/99-sysctl.conf
   become: true
+
+- name: Install wireguard tools
+  package:
+    name: "{{ item }}"
+  become: true
+  loop:
+    - wireguard-tools
+    - qrencode
diff --git a/ansible/roles/gitlab/files/gitlab.rb b/ansible/roles/gitlab/files/gitlab.rb
index 610529f..0dd9070 100644
--- a/ansible/roles/gitlab/files/gitlab.rb
+++ b/ansible/roles/gitlab/files/gitlab.rb
@@ -11,7 +11,7 @@ nginx['ssl_certificate'] = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
 nginx['ssl_certificate_key'] = "/etc/ssl/private/ssl-cert-snakeoil.key"
 letsencrypt['enable'] = false
 
-gitlab_rails['time_zone'] = '{{ timezone }}'
+gitlab_rails['time_zone'] = '{{ TZ }}'
 
 # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
 puma['worker_processes'] = 2
@@ -36,18 +36,3 @@ gitlab_rails['gitlab_email_from'] = "{{ gitlab_from_email }}"
 
 gitlab_rails['artifacts_path'] = "/mnt/gitlab-bulk/artifacts"
 gitlab_rails['backup_path'] = "/mnt/gitlab-bulk/backups"
-
-# Registry
-registry_external_url "https://registry.git.theorangeone.net"
-registry_nginx['redirect_http_to_https'] = false
-registry_nginx['ssl_certificate'] = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
-registry_nginx['ssl_certificate_key'] = "/etc/ssl/private/ssl-cert-snakeoil.key"
-registry['storage'] = {
-  's3' => {
-    'accesskey' => '{{ gitlab_registry_access_key }}',
-    'secretkey' => '{{ gitlab_registry_secret_key }}',
-    'bucket' => '0rng-registry',
-    'region' => 'eu-central-003',
-    'regionendpoint' => 'https://s3.eu-central-003.backblazeb2.com'
-  }
-}
diff --git a/ansible/roles/gitlab/tasks/main.yml b/ansible/roles/gitlab/tasks/main.yml
index f997702..23c2366 100644
--- a/ansible/roles/gitlab/tasks/main.yml
+++ b/ansible/roles/gitlab/tasks/main.yml
@@ -1,6 +1,3 @@
-- name: Include vault
-  include_vars: vault.yml
-
 - name: Install and configure GitLab
   import_role:
     name: geerlingguy.gitlab
diff --git a/ansible/roles/gitlab/vars/main.yml b/ansible/roles/gitlab/vars/main.yml
index 69a3108..e26a275 100644
--- a/ansible/roles/gitlab/vars/main.yml
+++ b/ansible/roles/gitlab/vars/main.yml
@@ -1,7 +1,23 @@
 gitlab_config_template: files/gitlab.rb
 gitlab_create_self_signed_cert: false
-gitlab_smtp_password: "{{ vault_gitlab_smtp_password }}"
-gitlab_smtp_user: "{{ vault_gitlab_smtp_user }}"
-gitlab_from_email: "{{ vault_gitlab_from_email }}"
-gitlab_registry_access_key: "{{ vault_gitlab_registry_access_key }}"
-gitlab_registry_secret_key: "{{ vault_gitlab_registry_secret_key }}"
+gitlab_smtp_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65613432613564643737373038393834363865356139636239393635373437323730646166366539
+  3264306365663964383364643530313731356565393364310a333364396164303933383364323564
+  32653239623662306437383332376233633764303131613733646661316261373130363763623064
+  3832323835653964620a393264353864393066303264343438336665626266643338666564386532
+  62626366343236623337353566623764653633356435623961623835313462343632
+gitlab_smtp_user: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65363932326464623165396365326130383464336166343832643563356363363930373339386534
+  3530316232363430386666623736366632313439313934360a313862646530383833383737333332
+  31313931626464636231616465313635306363666165383437386136383463646532626566376133
+  6134663039653633360a353036336135366530336530313562626262653130626463393836643435
+  66313166656461363931383837323937363365656139323564383263653037333434
+gitlab_from_email: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65643234353935653465613934373736643931396363303734336233393335346431373136356630
+  3234363436383761346135613039353562643438306532630a383937346662306538623533623430
+  34346434653530613764626661396463323634336365653232616661306437333034313137316231
+  6465396332383363320a316632306261363964623263626539373037366638323834623533366335
+  39383566353935353066306139626337643165333161653430393137323438623132
diff --git a/ansible/roles/gitlab/vars/vault.yml b/ansible/roles/gitlab/vars/vault.yml
deleted file mode 100644
index e5321d5..0000000
--- a/ansible/roles/gitlab/vars/vault.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-32363562323531613830333735616464333836386638373166633935383663646462323337633533
-6334646537616133366436343335623333626663663732620a653038383139326565336139656135
-39393334373164316334376262353030343732333531346434666336393631363833653262636337
-6139343461613930620a613234353063373433623238333637663462643233396632333831616239
-31616137333339376364653461343266373862666333326563383432383366643731613439643233
-35353831666432636332363035666464373161313765306439316365306537363531373439656439
-36316338636332623630393634306261613365333134373166613334356535336366316534393661
-66363761643532656637333934643763326562626561323639653461383930623333396464383832
-65646238343666326366376666356534353263626638323563323232383563386165663736383439
-39376536396439633137393139643737346234313939396532366333396630666162613232323266
-35663036346562633138623833306631363034663564383238323337616238663361363834623765
-32366266613665363336646635363963626334623937653332366338343163396132353930376164
-63323664666364633032326231356465316262393139336236363032653536326364653433303237
-36343261613732343663653530313333353231333732653834363936303230633138303632643830
-37343130343931346130616634346164393531613638393030366164633665306566323864353331
-66383437383061643634663163303962386261353663393038376332363130306631633332326437
-65383564316131316664393864393731356230663763663932333734636664366466
diff --git a/ansible/roles/gitlab_runner/files/config.toml b/ansible/roles/gitlab_runner/files/config.toml
index fc1aec4..18c5cea 100644
--- a/ansible/roles/gitlab_runner/files/config.toml
+++ b/ansible/roles/gitlab_runner/files/config.toml
@@ -1,4 +1,4 @@
-concurrent = {{ ansible_processor_nproc // 2 }}
+concurrent = {{ ansible_processor_nproc }}
 log_level = "warning"
 check_interval = 10
 
@@ -14,7 +14,7 @@ check_interval = 10
 
   [runners.docker]
     image = "alpine"
-    privileged = true
+    privileged = false
     disable_cache = false
-    volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock:ro"]
+    volumes = ["/cache"]
     pull_policy = "if-not-present"
diff --git a/ansible/roles/gitlab_runner/tasks/main.yml b/ansible/roles/gitlab_runner/tasks/main.yml
index d2f2a37..df82f02 100644
--- a/ansible/roles/gitlab_runner/tasks/main.yml
+++ b/ansible/roles/gitlab_runner/tasks/main.yml
@@ -1,6 +1,3 @@
-- name: Include vault
-  include_vars: vault.yml
-
 - name: Install runner
   package:
     name: gitlab-runner
diff --git a/ansible/roles/gitlab_runner/vars/main.yml b/ansible/roles/gitlab_runner/vars/main.yml
index 5e4d04c..83ee4e3 100644
--- a/ansible/roles/gitlab_runner/vars/main.yml
+++ b/ansible/roles/gitlab_runner/vars/main.yml
@@ -1 +1,7 @@
-gitlab_runner_token: "{{ vault_gitlab_runner_token }}"
+gitlab_runner_token: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65643664363337623138623538363032646330316263626632353233373832313235353939643465
+  3736633363663137653432306465626331653064303736310a313030646266316230396563313834
+  39366638646238303936633961343030623030633034653133376663656263333034373265313764
+  6637373531373262610a323037316336346339616563373933313436633337656634393535333235
+  36653337383864666137323331636136653338313133316265366337646465313533
diff --git a/ansible/roles/gitlab_runner/vars/vault.yml b/ansible/roles/gitlab_runner/vars/vault.yml
deleted file mode 100644
index 43b42fe..0000000
--- a/ansible/roles/gitlab_runner/vars/vault.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-61313533333239316433623837616239346461393538356665363034663533343165366434316137
-3837376330386436656265356637343166643465616534390a666634323334383831306336613636
-36623630646235386661633266633533396664656464333561623036313865343036653734643132
-6333393739383764340a646361383961373434303936383131326364626439353262623965643564
-31343631656234666464383935306434383363316362666263323165613939663736326435313966
-35373466333937636633383138636434333765646235633630616539343464343237383236613739
-313038366164653662616461626661363832
diff --git a/ansible/roles/ingress/files/nginx.conf b/ansible/roles/ingress/files/nginx.conf
index d3d8e6a..dc5296b 100644
--- a/ansible/roles/ingress/files/nginx.conf
+++ b/ansible/roles/ingress/files/nginx.conf
@@ -35,13 +35,11 @@ stream {
 
     log_format access '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
-                    '$session_time "$ssl_preread_server_name" '
+                    '$session_time "$upstream_addr" '
                     '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
     access_log /var/log/nginx/access.log access;
 
-    ssl_preread on;
-
     # Internal LAN route
     server {
         listen 443;
diff --git a/ansible/roles/ingress/tasks/main.yml b/ansible/roles/ingress/tasks/main.yml
index 3bdbc3c..13d371e 100644
--- a/ansible/roles/ingress/tasks/main.yml
+++ b/ansible/roles/ingress/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Configure wireguard
-  include_tasks: wireguard.yml
+  include: wireguard.yml
 
 - name: Configure nginx
-  include_tasks: nginx.yml
+  include: nginx.yml
diff --git a/ansible/roles/ingress/tasks/wireguard.yml b/ansible/roles/ingress/tasks/wireguard.yml
index 9144598..8119272 100644
--- a/ansible/roles/ingress/tasks/wireguard.yml
+++ b/ansible/roles/ingress/tasks/wireguard.yml
@@ -27,8 +27,8 @@
   sysctl:
     name: net.ipv4.ip_forward
     value: "1"
-    sysctl_set: true
+    sysctl_set: yes
     state: present
-    reload: true
+    reload: yes
     sysctl_file: /etc/sysctl.d/99-sysctl.conf
   become: true
diff --git a/ansible/roles/jellyfin/files/docker-compose.yml b/ansible/roles/jellyfin/files/docker-compose.yml
new file mode 100644
index 0000000..0e03489
--- /dev/null
+++ b/ansible/roles/jellyfin/files/docker-compose.yml
@@ -0,0 +1,36 @@
+---
+version: '3.7'
+
+services:
+  jellyfin:
+    container_name: jellyfin
+    image: linuxserver/jellyfin:latest
+    restart: unless-stopped
+    volumes:
+      - /media/jellyfin:/config
+      - /media/Movies:/media/Movies
+      - /media/Series:/media/Series
+      - /media/Videos:/media/Videos
+      - /media/Concerts:/media/Concerts
+    environment:
+      - PUID=9090
+      - PGID=9090
+      - TZ=Europe/Sofia
+    ports:
+      - 8096:8096
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.jellyfin.rule=Host('jf.chuchelo.net')
+      - traefik.http.routers.jellyfin.entrypoints=https
+      - traefik.http.routers.jellyfin.tls=true
+      - traefik.http.routers.jellyfin.tls.certresolver=letsencrypt
+      - traefik.http.routers.jellyfin.middlewares=jellyfin-mw
+      - traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
+      - traefik.http.middlewares.jellyfin-mw.headers.STSSeconds=315360000
+      - traefik.http.middlewares.jellyfin-mw.headers.STSIncludeSubdomains=true
+      - traefik.http.middlewares.jellyfin-mw.headers.STSPreload=true
+      - traefik.http.middlewares.jellyfin-mw.headers.forceSTSHeader=true
+      - traefik.http.middlewares.jellyfin-mw.headers.frameDeny=true
+      - traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff=true
+      - traefik.http.middlewares.jellyfin-mw.headers.browserXSSFilter=true
+      - traefik.http.middlewares.jellyfin-mw.headers.customFrameOptionsValue='allow-from https://jf.chuchelo.net'
diff --git a/ansible/roles/jellyfin/handlers/main.yml b/ansible/roles/jellyfin/handlers/main.yml
new file mode 100644
index 0000000..996a675
--- /dev/null
+++ b/ansible/roles/jellyfin/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart jellyfin
+  shell:
+    chdir: /opt/jellyfin
+    cmd: "{{ docker_update_command }}"
diff --git a/ansible/roles/jellyfin/tasks/main.yml b/ansible/roles/jellyfin/tasks/main.yml
index 0fdf7c5..8cdc7d5 100644
--- a/ansible/roles/jellyfin/tasks/main.yml
+++ b/ansible/roles/jellyfin/tasks/main.yml
@@ -1,24 +1,17 @@
-- name: Add Jellyfin apt key
-  ansible.builtin.apt_key:
-    url: https://repo.jellyfin.org/jellyfin_team.gpg.key
-    state: present
+- name: Create install directory
+  file:
+    path: /opt/jellyfin
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
   become: true
 
-- name: Add Jellyfin repository
-  apt_repository:
-    repo: deb [arch=amd64] https://repo.jellyfin.org/debian {{ ansible_distribution_release }} main
-    filename: jellyfin
-    state: present
-  become: true
-
-- name: Install jellyfin
-  package:
-    name: jellyfin
-  become: true
-
-- name: Set media dir permissions
-  cron:
-    name: Set media permissions
-    special_time: daily
-    job: chown -R jellyfin:jellyfin /mnt/media
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/jellyfin/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart jellyfin
   become: true
diff --git a/ansible/roles/nebula/files/ca.crt b/ansible/roles/nebula/files/ca.crt
index 195802e..94366cb 100644
--- a/ansible/roles/nebula/files/ca.crt
+++ b/ansible/roles/nebula/files/ca.crt
@@ -1,18 +1,18 @@
 $ANSIBLE_VAULT;1.1;AES256
-35346565636566303064316339396339363831623963306131303331366338643338326261626137
-3031333365383139383466323931353339346534366136350a353034373561653238643039373766
-37316638363166303162373739393934653936373639323038663639656138313035666132646136
-6339386166383137320a363536336166343539633238336364663633306562313965636536303663
-35376234336566626232383231326362393664386464346363643262393932316130623936383366
-63313539653035383665373962376165336533396565643263666634333434663432386635663434
-31613064653739363637643433653639343930623038626539353534393861646165366166616638
-38313036303261336635666161383135353637633966646462376439313539383962343564626336
-37343566306638626337316135663763343961653065616531396332303966643638646163393461
-63353630393364666336633630653765613331386233386130366636393965323231373561333163
-38613165623533396531383031316631346434333239616335373162333637363830636263613338
-38316165343632313361633362383934653832306332663732303061333135393234306232636464
-36346465633166303335363365336336383333636165633230626263633663356336366662313263
-36353231623930653361313466643064356234656639616332326534306133396338363538366136
-30643633626230613364353434323262333335363132303865646130653733623032346166653031
-63653761393935333430636230353966353765626235336439383331333436623061373835616462
-3661
+64383034666438336663396339636630323434633037373635386466633163396435336230303736
+3562386239313435373566373161343932306333356365610a363238356132363465626139643233
+32343862303066386533303536336335333034326564343030366435643765643032336635646437
+3131653964356437310a616138306362626139376662373866343238623363646236376364646661
+34306461373835373037383038626266663565346466393933613836663230643263303361356465
+31396532656262303336303839383264303435633437303463666338356465616339666231346265
+31626134613162663461356130373036663366623437653934376462616234373266663435353365
+30646534353931363766303366393235303964613332316434306366346336363866323235346363
+63363932626364313731356635323338623766306338653331323363643561643132643630333965
+39343766393061663039373630666136653635386535346462323937633164663937383762643962
+34666531363530653163303364633638633838613433353836393830306333656634383137636538
+36353538383135646138653939613863323866616634643432383437393065653535633734383434
+35643161343662626466366136393533666234646431313631353631616631366236656365366465
+37373735636533633762646661653931323533316634336631303834393438646233363866623663
+61396364303139326539666166633535666639393332346131303539653835616261653436333666
+38666363323533333631303938663065336163643430373636393866323136646662356333373761
+3366
diff --git a/ansible/roles/nebula/files/certs/casey.crt b/ansible/roles/nebula/files/certs/casey.crt
index 798fbbb..5b9f547 100644
--- a/ansible/roles/nebula/files/certs/casey.crt
+++ b/ansible/roles/nebula/files/certs/casey.crt
@@ -1,20 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-63636434323163343761373034626236333037376261336634366531393035356435653037326238
-3839323731623165633234613132376534646266373466310a356635313261333263366632336664
-39326533333462373831663132633733666136623938313164313265326637333332616463386363
-6634333536313132310a613766363630313933343365333633333663613035313362343437383534
-32636433613365643633643536633862376231316135376437333835353164613839323562333430
-39323331353639333539356165616661663262386363386239346664643364653137633332626661
-35393332653530373162666365326135663633663265313634643135373562663763376530623038
-63343231333933616237666465306461663634363261656237383236383663336235363161623265
-30343366643637326135356636626564343436396635613566393636643264333933656265346333
-61363335303737666238393665633265393835633838636561393534343437366639636361373761
-34366334366236373633613037346463373632323265343034343335333436373733613465663464
-65643863303037643338366537336562613232313331323366663835316437376535623635383463
-38386539353834383236663766393563393063333233623661303335396534353166316230396566
-34393034333864346534383665616666633836376439646632303566613633376138313961636637
-37313635393739656161313466633231396539393666663635623034613765393438633735636666
-33326635373966353633356166313138656462373962663666653961366438383936626338663439
-36643039613061646531366462623064623837666633326532663232616139623737343732346130
-64646337356266353261363438326237313833323765663336346635353236396638376530663033
-306365363634643665646230366332653632
+64613133383265373737643031303930643035303131303331313864306332323231616534663731
+6332326533376638613331386665346166366632376465610a326635366539313466346663336361
+30366163666530626132373633653732333930306236383934353730336334653366316533333532
+6462326439306639330a633333373363613339303635373235643961346630373261316365336666
+63643135366363376666313839656537383265636330323238323738356634343933376334383866
+66346338316166303332636663396365363339386462356666303038353062633839333339633633
+66303265666464313737346431313463393265616134346138623763343261646334313061396364
+34646663633538343965653464343933633062343633643064326463653932383739326430656433
+62316337626135653534613035363235343135333435646264613664386236623632306465376266
+31306666656463333561373232343061393034356336393339386135306364363533643965613361
+34613939653765646263353863633462623434393961396335303735336433653866373534313130
+64366632313764633636353265383332303561343435333135656230656336316235353734363265
+63373033613161303736373065323565336638386537656235333639303262383437643739333762
+31323636373239623838303834353130623038633933306238333632323533303731353539383465
+34366464366161626163363163323365333932396231333930336132313563323062626334313930
+64373562366164613964613534306161366531643530343331313538383461666537306639663965
+62343036386166323036653266343362323961613432336466313731333561636234386662333264
+64393463303336643231616531393365383632303030616337336234393137393939333130633339
+333837383764333662313933666132383837
diff --git a/ansible/roles/nebula/files/certs/casey.key b/ansible/roles/nebula/files/certs/casey.key
index fa8b5d4..04ceb94 100644
--- a/ansible/roles/nebula/files/certs/casey.key
+++ b/ansible/roles/nebula/files/certs/casey.key
@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-31646561316237653338613966616162363239323863393862376136623639613730633339396230
-3830343834383934333236633462663734366432666331620a393739313230656636653432646532
-65386466633832623663386131393866666664303439613738303933656239393761653263386466
-3561656162343632350a383737343661663037306461636264353239373865613861393034626237
-37633134636638633539346534346365346332643939653737626136393961343864386438323731
-39353663353362623563326230643961623231646361396561623431376139626236313362343938
-38336138376133656130633161363766393861656466363565646264653963396539386266616631
-66333965383862633061623961316334326134326630623064323562373937323338313838353066
-38343830316665326663313331613561393238373161326637396630383030666137623633616365
-6461333239666365363339613533323536613839356332373530
+31386138633139343335346361323831306435383234653738613139376138393138383964633031
+3337346361396334636433393538666433666136353337360a376435363861393333666438383765
+35383334303931383331303161303738636437303135623833356462393766633262666433316232
+6631356631383164620a383265376365643032623835346238353130356463383139623436303935
+32636463613164613533313633333838396531303431393938393163633566363433613630303435
+36633138366362623636653565343637633338306534393236643030653532623563613834633538
+31663565626138376231643537306362336334336334353662633166653630366438633636633765
+33636362333630653064326165336334396538653332323332656634656361613335373939636264
+64356163336138316235626331373637316661363233366535356532323539653166303234346162
+3062666234396362623664626535326534376535346233376232
diff --git a/ansible/roles/nebula/files/certs/decker.crt b/ansible/roles/nebula/files/certs/decker.crt
index 56fc937..f8baec6 100644
--- a/ansible/roles/nebula/files/certs/decker.crt
+++ b/ansible/roles/nebula/files/certs/decker.crt
@@ -1,20 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-65353231313330393239343839623361663961346636306236363938373037363538373338633731
-6430663764633362633565616462373066366234356463370a356462363864396134376338363936
-36646437363265306131643131353033613939363235643965333331633231653231366236393961
-6433386362653437650a323733353361343130306533623662323536653265306361393265393732
-39663236343530643835373132653664663661313731393433306635396639653635356531313365
-35656435353032333639366534386530363637643365356332663864323161383531316561376436
-62633036636432336434383461396564323536376238646161386562366338383734343462646631
-63636330393639303566376131643761613132346462366237623062383737663838393833383964
-30396661373738343536363831303939393738363866396364303236616262376337366637303632
-65393139623064613166353235343963653364333365323966373837373435303565343335356334
-66613963393339363638643931376434623333386133336638363336353334313835313961626235
-34306364393233663062636639396164303963303433353538386335383432376535383735646436
-65656436373234323936653263396363316432666666343536303537383032656462353761363464
-32396464646532356663346234623939656138343233353932333165623237353132633264333035
-64373134623863306564633738313233363835623733313766383761386230383033383232616137
-31363430303763656662363666646533316262646530306632613733363566366461666133623638
-64333330306637613730633733666561616331663463623739336263636637316463323061383735
-32323666383633656363643633386139613666366565356431393134356233343038663061353064
-303334396630656532363137383034323763
+66313365626166623139343638363632626563616434626336313637376537333165303363353932
+6434393565666434643433316436323338653965653064630a663063393863306131363666326135
+30333435633430383133373831326662613136313736353032643563383165396239653866393534
+3366626536373065640a623930643863636634313062383164303237643965623034643363343561
+63646234633238626139613736343434313531336531376639303261346135643933626537636439
+32313137623261316639326238303365646365376534303831303663636437343163393536313562
+62393566396536396363383865393962636236356335353264383139633663373865393861393034
+35613465373830663632316264353634623361396663343764303732316131333337663432616230
+33333463663738386132366235623661653037623564366166643061363266656438313739313830
+34356464373238363730366239326231653532346162633066363164303838366438323962306366
+62616136643130663534633161633633336461636564353734393737386364333734353065353661
+39333964323661393864346231346436353533373334313936343433343538373666396232383433
+66353264373332353366646666333636633166333565643363373636656263316130613564623134
+30616161346138386538383931326531646634376634336137363864326165643231643735366435
+61613435623339383231373062376434333839393134623138303366636637323464343232306235
+37303034316637376664363437653662326138326236633733636535393436353638303438333738
+61343332626633653838303535303430373436366263313062376233393565633266356436306365
+63656137666161396537616339613031396663656139663462396261643162316438653439643537
+386438626131393330383465303037633366
diff --git a/ansible/roles/nebula/files/certs/decker.key b/ansible/roles/nebula/files/certs/decker.key
index 15fadfd..d2e8b7c 100644
--- a/ansible/roles/nebula/files/certs/decker.key
+++ b/ansible/roles/nebula/files/certs/decker.key
@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-38646235373534373165393032646530386230363864316439633366663962383432313931613265
-3565373033636239306139313166373264363366386539380a323933393234653565623633643065
-30643236313165396637326533343864336235393634663765626638623561303062343865323730
-3766373635363739620a366531363234393034613761303838373264383138303031313739393962
-63316132636264316334366661303830343961313561613038326134386134613565666336383065
-32626138356661343366643137363735306466333933306539633063663134616165363062303366
-39326133393439633330393762373637396465633337383861376138336362343365303065326431
-33613365303464633163646130336139306430346431313465323930653164323931656432386438
-33376165656635663335353263376635333262616263376132326362393434383830313434626237
-6664653033366130313861326163623532353363633364626433
+31626534383936313834333334346434626464656166323664616562663831623630313237663864
+3437303465383439376538623466613330326236356637350a353034613434653965633165363831
+32613766336338396434306339353530363139626236326436333835363933373732663935333163
+3233643931303535650a646531303063313265616435653336376561353138326233356563646363
+64326164356532666537306137633465346562363063653436643131656534643166376535383035
+35316130663436643261333838333531353234303635616166666164376366373737626561643135
+39613265303662373933623235633266343430363766623064313065626631326131323633373439
+32366332343864643736313163353635323333356562383839623965613365633236363633306431
+35353932343261613239616462626333396532343737343166653032383033313032636230343337
+6462373035316266633134323961643866323630653237653539
diff --git a/ansible/roles/nebula/files/certs/grimes.crt b/ansible/roles/nebula/files/certs/grimes.crt
index 3205fc3..a5e1e5c 100644
--- a/ansible/roles/nebula/files/certs/grimes.crt
+++ b/ansible/roles/nebula/files/certs/grimes.crt
@@ -1,20 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-63633837623439346639323936306262626164653662373065666133363139616631316336323961
-6135306263303839346335373262646637613963643166360a396638363534643461373531363461
-32313433383466646630396661373430353238336365303234626636306338353764623534323738
-6362373163626433660a623134343362623838363034393934323131373531616363643439336437
-32343332313936623334626434643535363361346464653634366664363964386530376261663962
-61353031313937643130333836366366656432633036383730386364343566353031653164613630
-30343062383864613833333361353566313862316436313161303364656566353765643439323162
-65663534663137383033633666396163663739326130616536386263356465303062643366666331
-30353333643632306466653935626430373437613263333563656331383936623834643839303937
-34373537613165383137653431333562323233323563353362613430616332363265656335613361
-32376333393261336333616634356161656134636533636363313261613261613539353937373462
-32373166643739363034356436323630626431363335303366373566373939356332303563383839
-35303464623133666430333265633638383266343765356565626361376164323830653265333663
-38613762326432336635373933396138616566376330316534646236663833366139323064366632
-31316461316430633865613666363439343735663466383162326539353561366436663765623565
-34326539376437613130396462653431383335326661653938623636393634613434646333343132
-34363239303163306130633037653539306162353930393265313238366437323334636131333066
-34383463303136386436663138653962623238663038623938383364363931666134626161663265
-646366313463663161653337333634353035
+61626636613635336231376431613661653133633662636237643136633439326535666262663739
+3764623865653936313661393265616434386432336165340a636430376232653032313030636531
+64303835653862663531353661336233303533626666383735316437336436346564306439366533
+3230353533633038340a616364656536613634346437646466386666643934616365396161313538
+33666232306336636562623937643064366335666538303738656233303436326261343035663762
+33336636316134383131623761346330363264333734623832376662363936363061613731366131
+34343762313964633661326633303034363466326532643665303965636366613865353233666237
+37313064643863306261346331366231306632313230663433653233626661323761376366346433
+32393637383937306562616238626338343936633732356633313636643765383231623066363839
+65386130313065663663373739376134386365343965353634663832636564393362336264393165
+65323162323066653163636465663038333132386561346364303133386138646439656633336338
+64343238353733386364383662363034346264363431343636303939373362663230663636613366
+62653861643438666630633263336638386433353066323336376565663864653766663030326462
+62393265323036663066363730636339313662633530396362396432346233383662666137383734
+37623132636231323539326130626639393432313930396662343934633666313466336665626466
+37663132363933666565346634623832363638353431306132393539633163643864313865656238
+37643939393866303933633831363635633463383135396432643065356435326361326536373130
+32613161323734636130353362666331316231353063653237336433303238656365646135316461
+396461396434313838373063643438613161
diff --git a/ansible/roles/nebula/files/certs/grimes.key b/ansible/roles/nebula/files/certs/grimes.key
index cd694bf..8eb52f5 100644
--- a/ansible/roles/nebula/files/certs/grimes.key
+++ b/ansible/roles/nebula/files/certs/grimes.key
@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-30333230396339326639656262343232396664326430383664623232376535396462366133633532
-3437663638623965373461373162623831633566633030610a383130386634363132353034326535
-35643939393230343662646135363531376162373636363438353461363031643465643435363764
-6435333432616434660a363837336462616333643330653165333562636166363361336537333966
-64623363373861623362383938613638313836346335303261336333383634356666323265303961
-39356533343132306266643063396636373265633333366330666362626130396533326365336663
-63383839306265346532333439396134343332613664323638383835366437313362323464383033
-65306336616534663531633164653139313463666434636436376233633330326633333237343361
-34626535636230316437396638316232623230643866383962323766313763633734643837323736
-6239613865336261323961353239636134393237613733303133
+63383863316433356463343636613030353935363566663764623132306132343338666231326537
+3366366462663730383864333536373335336139326336350a653163353432396438313132306537
+66623438633864633866653234303462616238653665336138346264313736623631366261666530
+3364303135313435630a313436663862366531303036616361356639316331303737323630303235
+64373136313065623536356139393965383233633362333739303335396137653735303534653539
+37373961626634626336646231633265643837626336666436383936636332363165353162656364
+61663139333061643330363635363135353637633235313638346537636335663536326363376634
+31336662323238323238363937626639326665663763636236643863393334636338386634343730
+36623464313665623264613962306330323666313830373161663165326464393965326135623733
+3566326635613839336164633138653061383735323662653561
diff --git a/ansible/roles/nebula/files/certs/ingress.crt b/ansible/roles/nebula/files/certs/ingress.crt
index bb5a9d7..8284d36 100644
--- a/ansible/roles/nebula/files/certs/ingress.crt
+++ b/ansible/roles/nebula/files/certs/ingress.crt
@@ -1,21 +1,21 @@
 $ANSIBLE_VAULT;1.1;AES256
-62613762323836666136313634353965643132326439656165623938326130633631623939336434
-3931613737633935363439316362613663363335626134340a306631376131363635326337333234
-34373262383861626564383834306462306633376332353630666265303766333731613839333231
-6666343965353866320a313930383762646431656433393433336436623064643864343639393465
-37613062336430646130653833363130343266303833353739393839376235646433663236636532
-31303439663030353934383862396234663633343932646234353566313833613038366262373862
-62646262393431343638373936333339373230346134313661303138656563613463613836643634
-33343236633235316364336438613932316431383839393136343662333365396639313931663461
-33363336323532376566316532373832306662373538343361336239346163626330333736636566
-33306435306136643563643465373964383336376566383539613530313830353961623861323936
-64633336323438353238616663323338396536386161326132633466643135636162363536656665
-39653734653839366362383034366437613734373830386533363138373036323231363764633335
-34633163353237656266663035616463383165623634353062636464373361376438653230343661
-35343434656335623533623836313335616162666665313064653730356537633666336163616132
-31663432396564613538303662396538643131656137343434646333666634653938353363316363
-38623730623532663133343937643663633961353034316234663931646331656636303739383464
-37623264663038656632343262336165343635633566393535343663393163313234396463373766
-35313337353833306262363532616265656461356536633430383234633464613839303562356565
-39643738616262383734656535636566323831373035306166343039666334633264303435663865
-39623533653333323766
+33613132393536346238646436336337333631646337353863653235313463663238393731313438
+6630633261383936623762313834333233653036376663620a336338333734616561623734653737
+63313162393834333636313763643832643861643635633534343364643436646166363337353135
+6661386263333064640a663737306436356639336234633961363836633161376237366439653931
+65323761333863316530313331343730656436376435346230333466363265303734396432373065
+65386139643266333539313162393632643038343364323438653230623461626266393864633261
+65323361623639376562393538326431396238643263376366396632333962396264653730623466
+63383463363832613738616461656638616330333733663164346562386630653734313463653461
+33336563656534613339323536666265313435396563653033613835386630313465666466396330
+64336631343364383734613839356639346165313633326130376634663537336261366238623637
+38306435313861653232323666643235303930636137636165633838313962306438333236313135
+61313638343066646261613530623039316439386637326335376264653032396235306431363134
+35353932363565633463653330633339343331343366393436666166343130643038666230383431
+36353138623533633865333837633035666566376264313737373861373834306132653662393037
+36393538373964366564323963386664313832303439393166633636336637396262613331333862
+38663164613230323762343833396231366139643836623665326231626533323433636164613736
+37653163663131333332366339613337376635623064383935303038646336373361346366616636
+62363162633835353937323565646665313730396633383835313662306161383466383562333462
+39363234646365343938393733323463333764623638363238643037323065303865633066333666
+61363731646566366663
diff --git a/ansible/roles/nebula/files/certs/ingress.key b/ansible/roles/nebula/files/certs/ingress.key
index c5c72c6..cdccb2a 100644
--- a/ansible/roles/nebula/files/certs/ingress.key
+++ b/ansible/roles/nebula/files/certs/ingress.key
@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-37626435646463663062363233393732353239386231366436653663623035656339633136346138
-3963626465363538653430343733663965373865376263330a373638663731656435646438646134
-38663334363137666530653934356337326264356664343633623432613265643139353464666136
-6236383631366130310a386265373334663831333137303538303737663062656239663839326338
-35613739313935373362333933653636383033343164363964353935633061636635353464643831
-64626363646136663166373632343830333634356565336138393436313864646333386561396663
-65636436663830633661396531643838333938366236633762323231363966643035643539383438
-30396136633264396561353034653161343536313461623532303265663531323937363737353566
-32363564333536306166346165393662353234363131383733396338633839333439373538623362
-3738616565663331353362633939343832323238383930643263
+64383037313331303138303765616563663233333366613162363534626131653635626639343437
+3134643661613762373363616435366335303838623061640a303031326164616563623632653037
+35636633653731616533373862663839646462383830616634656630376231343639643434366437
+3933353135646430320a343366386363643037323538323132646366393165383935363236643934
+61336261383633636464316563306631333131393861373963636637656262393231663035333164
+65653537626365613335313363313765373561333466613365336239363136346531333335323461
+38393737376365663533386365353035346539333566343938336136623134633736613936656461
+35663634363332366530626233663333663963343764316633366337663166393335376638393037
+38376331626266353431623235353462626230663230323666346636306439646164333965396539
+3764336237653833366565313531366462336130303565346639
diff --git a/ansible/roles/nebula/files/certs/walker.crt b/ansible/roles/nebula/files/certs/walker.crt
index d3938f6..1280c5c 100644
--- a/ansible/roles/nebula/files/certs/walker.crt
+++ b/ansible/roles/nebula/files/certs/walker.crt
@@ -1,20 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-32636232306462356330643137616236306261373438653332326239343662363234313765356563
-6361383264626665636130373539613936373036343061350a316438383266306538303836636138
-39643434323831303337336230623463633138633436386539363531626633633364663031376131
-3162363530393734380a303162386436396338383864333439313365383665666361313666373538
-35666262616466663061383463653361303230653036643033376434303236656638343134316262
-31303663396231623065316261353938613934303934613331393836663061653731316163663230
-39653337373230386337383665303638346136353031373931616166663437313431353832633239
-62343063323765636466353031353930636132373263306631616365623332646639333265653235
-61636237326561613364303538323861393061303839383532323136306134633437363731616464
-32633538376130613164646264666332303762386436383566663563346536663935323165323939
-65666333363163373165316633383430653066663938303562613739303835316661623437613863
-32383330336261356364353163666432353130343564366333626336306332643936623166386261
-35656431366431663830336631346164333362376262663365623635376161373864303831306462
-61326462343039376363663139636638663239306362353232366166623030376464336634643130
-65373532393034623730663431373763636261393035346639653137383235633265386365613063
-37303435363136613365633139316133386332373665626566346161343665626365656639346661
-30396133366566306238303564633662306561303830613937666264303731666230356633373662
-33656133323364313461353562373337356232666536643633336663326334353231613336646461
-376435366338383534623436353434623334
+62613030333861376363373831343030363236303265346261613565656661623166343462383564
+6536656631633963623166653235396634313432623036370a303865633866346331316461643930
+33633739366434353037333931653265623236373465383137306139633635633531643538383339
+3263313561333038650a383433373561656537363939306633393734363830333935633764323036
+66303863623936343239363938333665373335313164376265336662656265306436653766383266
+65343733616265653232343337363031326435653531353962363438646631653630316431333166
+36363764653534626133363631346635666665653836383735613530623537363539393033373734
+38623363356639323939373434326136356638633262613235636232383232366263333030326230
+63643837353733373665663137666161636339643461396538363465323566656339633461303631
+63653563373037303166613364653531376337343133326138386438313165646536346130303830
+30646332346537663136306138636366663566303733383432393537613937643730623765633764
+62373230376636336632383265643863306336393266363636643436613163613761663464313463
+62653765346238343530626539323933333833633639633230613038656330646363633166303063
+30313136663035373636343864626231613766653361633937303563323530326465653133303038
+34336433646534343638393530383661333036616331316134313362393662316339623731666132
+33306161333761353562383030323165623566613737663538313531373134613834613565383336
+30316130343137373537393338386532613763323763623637666130393035626462613132653339
+65333862336133333839306530353165663764666130643263616661643836343934313331663163
+383563373561373932353537623065643963
diff --git a/ansible/roles/nebula/files/certs/walker.key b/ansible/roles/nebula/files/certs/walker.key
index 33a151a..9a31ba5 100644
--- a/ansible/roles/nebula/files/certs/walker.key
+++ b/ansible/roles/nebula/files/certs/walker.key
@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-65626437643961386636343536313832353663373863313963383430363465333965363031653635
-3038636237383665653135313962643434386135346630360a666239663139353063623436633038
-38613062393337373232343338626334353033633738306138373464313739323334373637366334
-3335623465633164310a646162376139373838643731326361373366623765323263643934616432
-66626333653335343234393936653931306132333933616138616665626139396164386437633338
-36653637346532376564306537643330343135313331343163326331363664663761616533353563
-66643964313736653263666466643134656532643536343464356464663465313438643466643130
-35643738313337663663343466353232396264356163343234653032333032336134666437306139
-63653239363132396465376565306666363131366131376466356530386438653433613063646365
-6432616539316163376162613630623066626539666135366664
+33383339366463623838653336343938633539353939326561663761663331363465383830633030
+6432366561666130393363366339313162653733346337630a356535396562333364363165323736
+36363335313530663331383266663536646236386439323465336163343462663963626464373737
+3831666265643432640a376137303764323434313361346330343039623062646665396235316662
+64333463326132346436613331373337656364333538653864616131636638336437376537373537
+37666539653435636133656365616636633534323636623462643734653061653662356333386232
+31373834376465663035366139373235613433626330613139333462666232393733346630346432
+64343431326539376430616532393261383464326531643032303638613231356337303938313365
+31313037356132643132393032313038313439366462343462373163333435376166343161656131
+3938323631333731626364383864333232303134383566343763
diff --git a/ansible/roles/nebula/handlers/main.yml b/ansible/roles/nebula/handlers/main.yml
index 092c1e5..77dcdaf 100644
--- a/ansible/roles/nebula/handlers/main.yml
+++ b/ansible/roles/nebula/handlers/main.yml
@@ -1,5 +1,5 @@
 - name: restart nebula
   service:
     name: nebula
-    state: restarted
+    state: reloaded
   become: true
diff --git a/ansible/roles/nebula/tasks/main.yml b/ansible/roles/nebula/tasks/main.yml
index c24112b..17ee84c 100644
--- a/ansible/roles/nebula/tasks/main.yml
+++ b/ansible/roles/nebula/tasks/main.yml
@@ -9,7 +9,7 @@
   unarchive:
     src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
     dest: /usr/bin
-    remote_src: true
+    remote_src: yes
     mode: "0755"
   become: true
   notify: restart nebula
diff --git a/ansible/roles/nebula/vars/main.yml b/ansible/roles/nebula/vars/main.yml
index c1e1be2..1dbeede 100644
--- a/ansible/roles/nebula/vars/main.yml
+++ b/ansible/roles/nebula/vars/main.yml
@@ -2,4 +2,4 @@ nebula_lighthouse_public_ip: "{{ hosts.casey_ip }}"
 nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}"
 nebula_lighthouse_port: 6328
 
-nebula_version: 1.5.2
+nebula_version: 1.4.0
diff --git a/ansible/roles/pages/files/docker-compose.yml b/ansible/roles/pages/files/docker-compose.yml
index 4cda77e..b020d97 100644
--- a/ansible/roles/pages/files/docker-compose.yml
+++ b/ansible/roles/pages/files/docker-compose.yml
@@ -9,9 +9,6 @@ services:
       - ./htpasswd.txt:/etc/nginx/.htpasswd:ro
     environment:
       - PUID={{ docker_user.id }}
-    networks:
-      - default
-      - traefik
     labels:
       - traefik.enable=true
       - traefik.http.routers.pages.rule=Host(`pages.theorangeone.net`)
@@ -22,17 +19,12 @@ services:
       - ./sites:/sites:ro
     restart: unless-stopped
     user: "{{ docker_user.id }}"
+    ports:
+      - 127.0.0.1:5000:5000
     environment:
       - SITES_ROOT=/sites
       - TRAEFIK_SERVICE=traefik-pages-pages@docker
       - AUTH_PASSWORD={{ traefik_pages_password }}
       - TRAEFIK_CERT_RESOLVER=le
-    networks:
-      - default
-      - traefik
     labels:
       - traefik.enable=true
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pages/tasks/main.yml b/ansible/roles/pages/tasks/main.yml
index 50b6407..61e4d12 100644
--- a/ansible/roles/pages/tasks/main.yml
+++ b/ansible/roles/pages/tasks/main.yml
@@ -40,11 +40,3 @@
     password: "{{ github_user_password }}"
     mode: 0640
   become: true
-
-- name: Create status user
-  htpasswd:
-    path: /opt/pages/htpasswd.txt
-    name: status
-    password: "{{ status_user_password }}"
-    mode: 0640
-  become: true
diff --git a/ansible/roles/pages/vars/main.yml b/ansible/roles/pages/vars/main.yml
index 45ec8b3..d7ef8ca 100644
--- a/ansible/roles/pages/vars/main.yml
+++ b/ansible/roles/pages/vars/main.yml
@@ -20,15 +20,3 @@ github_user_password: !vault |
   38343763363363623334313735346230373135626337343437633833633230376466396663363233
   32303562653733653334316439663230353031656132363661383166656639396235353838396535
   31636364366363316339386131333530626462633765393033393666343763303366
-status_user_password: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  38383638393932323735303533393663386130653438353532383330346563353538333235643439
-  3030663365636138626432313832653265326436326261380a353331356636633231366337363163
-  32386431643665393263313332316439633562623738396565643364643165303865616636323531
-  6637343239346465360a626562373534396330643830393332306138633961663561323539363639
-  65613432383964386130393064663834613735656132303331353631623135393963333239356662
-  62653764616264663761333461393734303439363538353333613237333536366637366538353539
-  37613238343339346533386231336231663430316637323835666534646365376138653563653432
-  65373232623736396230326139653162353065326664653733623033613734643032643336663063
-  30616339326564383031633566653834656631376361663136343161393334303036
-traefik_pages_password: "{{ vault_traefik_pages_password }}"
diff --git a/ansible/roles/plausible/files/clickhouse-config.xml b/ansible/roles/plausible/files/clickhouse-config.xml
index ee630ed..b8bd4e5 100644
--- a/ansible/roles/plausible/files/clickhouse-config.xml
+++ b/ansible/roles/plausible/files/clickhouse-config.xml
@@ -12,6 +12,4 @@
     <trace_log remove="remove"/>
     <metric_log remove="remove"/>
     <asynchronous_metric_log remove="remove"/>
-    <session_log remove="remove"/>
-    <part_log remove="remove"/>
 </yandex>
diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml
index 0dee2bf..ca34222 100644
--- a/ansible/roles/plausible/files/docker-compose.yml
+++ b/ansible/roles/plausible/files/docker-compose.yml
@@ -8,9 +8,6 @@ services:
     depends_on:
       - db
       - clickhouse
-    networks:
-      - default
-      - traefik
     labels:
       - traefik.enable=true
       - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`)
@@ -25,18 +22,16 @@ services:
       - traefik.http.routers.plausible-embed.middlewares=plausible-index
 
     environment:
-      - SECRET_KEY_BASE={{ plausible_secret_key }}
-      - SIGNING_SALT={{ plausible_signing_salt }}
+      - SECRET_KEY_BASE={{ secret_key }}
+      - SIGNING_SALT={{ signing_salt }}
       - DATABASE_URL=postgres://plausible:plausible@db:5432/plausible
       - DISABLE_REGISTRATION=true
       - DISABLE_SUBSCRIPTION=true
       - CLICKHOUSE_DATABASE_URL=http://clickhouse:8123/plausible
       - BASE_URL=https://elbisualp.theorangeone.net
-      - GOOGLE_CLIENT_ID={{ plausible_google_client_id }}
-      - GOOGLE_CLIENT_SECRET={{ plausible_google_client_secret }}
 
   clickhouse:
-    image: clickhouse/clickhouse-server:21.12-alpine
+    image: yandex/clickhouse-server:21.6-alpine
     restart: unless-stopped
     volumes:
       - ./clickhouse:/var/lib/clickhouse
@@ -50,14 +45,10 @@ services:
         hard: 262144
 
   db:
-    image: postgres:14-alpine
+    image: postgres:12-alpine
     restart: unless-stopped
     volumes:
       - ./postgres:/var/lib/postgresql/data
     environment:
       - POSTGRES_PASSWORD=plausible
       - POSTGRES_USER=plausible
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/plausible/tasks/main.yml b/ansible/roles/plausible/tasks/main.yml
index 4c431a7..0293245 100644
--- a/ansible/roles/plausible/tasks/main.yml
+++ b/ansible/roles/plausible/tasks/main.yml
@@ -1,6 +1,3 @@
-- name: Include vault
-  include_vars: vault.yml
-
 - name: Create install directory
   file:
     path: /opt/plausible
diff --git a/ansible/roles/plausible/vars/main.yml b/ansible/roles/plausible/vars/main.yml
index 34c080a..9d2dd72 100644
--- a/ansible/roles/plausible/vars/main.yml
+++ b/ansible/roles/plausible/vars/main.yml
@@ -1,4 +1,21 @@
-plausible_secret_key: "{{ vault_plausible_secret_key }}"
-plausible_signing_salt: "{{ vault_plausible_signing_salt }}"
-plausible_google_client_id: "{{ vault_plausible_google_client_id }}"
-plausible_google_client_secret: "{{ vault_plausible_google_client_secret }}"
+secret_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  39336333353061326461306663306661393465646536323664353933643030623561393732323438
+  3162376361386238623238323765376261303431643530660a646234653266326264336636343264
+  38396537646661386435353134663033336133646233343334356364663136373233623436383862
+  6139326335313830370a623737303837643630613535363534613663343163353330626131376435
+  61346534303264643065663763653837396530333166336364346234663031616565666163323631
+  64626666626466333131353264313166313139623865393833393766636466383139323463313263
+  36376337623437346465346665633732333264333662363632623235326262626339366434396563
+  64326232306534656161343638316166313763333834393065323965626465663136356332636463
+  62343466396637643466373561316665333238393964306232353239303062653432303466666638
+  62623038393639393339303661633039306463306364656339656164313033643536356266363939
+  613233393837653836633837373339653934
+signing_salt: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  35366665313061333735636265386535663830666531376365323033353338653536633334646566
+  3065393638663934623237336561633365303664613863350a326661393439393532316666653134
+  61353939626433396530636665636439313966636130386365396535326239366331646664383562
+  3763326533373266620a376230613664633332663065393561656565653634366130323534633865
+  35336236653664373131343364373637653261303030663239333534653432386438343162393866
+  3563353137633338623239346538643662393537313932386366
diff --git a/ansible/roles/plausible/vars/vault.yml b/ansible/roles/plausible/vars/vault.yml
deleted file mode 100644
index 6f76661..0000000
--- a/ansible/roles/plausible/vars/vault.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31656661613230326431396337643933383263633639376230636236333031653566306465366438
-3131663665396638333364613661333435613138623736640a636234363832343430353262653464
-64653131376639306163343235633565393635393231643230396463363563646265356535313839
-3931313064666630640a613433616261343033613863633865393266363438373163343362356235
-38306438623830613364333363646665643437656238323262653066336437386534386563313166
-35653261636534366230303363353263616137306230303832646630353439346561326464323330
-37386366306332393734623734316231613631626364393839653830353636323034633662646535
-31306632643962353766333934303538326663386436323466393363656266666336336361663339
-31323834373563343130353732666334356137356432636363633239333130393662356166643332
-32393837313033333934373362656466633863303732353765313931663330613532613035303466
-63646265333730363561386538623663353735323139333465363761316362326464396330383062
-61366665306166386337323630613861343465363339343531613934636139643136336132613038
-32396235363531336562306262633035313035653432376466303665326331666365393465656631
-38373238313637636434313135353862366264316138366261613634326161326437643238383730
-35313039333462626162343733363031386136396139386434366334366237353465366363333936
-34316662623864383539636166616432346533346338633865306565386638353666333733616164
-65316364633534303231313163623236333662636137313564653537396630306532663830323033
-33303232303037613433316538303364356435366161613662303639323361363561633964313434
-39343139613139396334646538313364343038376464316161346431646438313636356239356135
-32393937623435306335636133643365343537656463343232323164323333376264353935306230
-66313137663739373834333235653433313330616632346664616134343532613063616435343832
-38396536626234353437613631356434393331373366633764326564346366316365383363363932
-61646563663565323737393536366331646635326239613565316432376337363430396236303837
-37623337366261636661316563633661333065643164363265626132633036343033306161386364
-6538
diff --git a/ansible/roles/privatebin/files/docker-compose.yml b/ansible/roles/privatebin/files/docker-compose.yml
index 2f719e3..8d6d3dc 100644
--- a/ansible/roles/privatebin/files/docker-compose.yml
+++ b/ansible/roles/privatebin/files/docker-compose.yml
@@ -4,7 +4,7 @@ services:
   privatebin:
     image: privatebin/nginx-fpm-alpine:latest
     environment:
-      - TZ={{ timezone }}
+      - TZ={{ TZ }}
     volumes:
       - "{{ app_data_dir }}/privatebin/:/srv/data"
       - "{{ app_data_dir }}/privatebin/conf.php:/srv/cfg/conf.php:ro"
@@ -12,10 +12,3 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.privatebin.rule=Host(`bin.theorangeone.net`)
-    networks:
-      - default
-      - traefik
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/files/calibre/docker-compose.yml b/ansible/roles/pve_docker/files/calibre/docker-compose.yml
index 0ada5e6..b87c80e 100644
--- a/ansible/roles/pve_docker/files/calibre/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/calibre/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     environment:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
-      - TZ={{ timezone }}
+      - TZ={{ TZ }}
     restart: unless-stopped
     volumes:
       - /mnt/tank/app-data/calibre:/config
@@ -13,10 +13,3 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.calibre.rule=Host(`calibre.jakehoward.tech`)
-    networks:
-      - default
-      - traefik
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml
index 82bce75..8aeff73 100644
--- a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     environment:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
-      - TZ={{ timezone }}
+      - TZ={{ TZ }}
     ports:
       - 33377:80
     restart: unless-stopped
@@ -14,10 +14,3 @@ services:
       - traefik.http.routers.librespeed.rule=Host(`speed.jakehoward.tech`)
       - traefik.http.routers.librespeed.middlewares=librespeed-auth@docker
       - traefik.http.middlewares.librespeed-auth.basicauth.users={{ librespeed_basicauth }}
-    networks:
-      - default
-      - traefik
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/files/nextcloud/config.php b/ansible/roles/pve_docker/files/nextcloud/config.php
index 608805a..7c30fb9 100644
--- a/ansible/roles/pve_docker/files/nextcloud/config.php
+++ b/ansible/roles/pve_docker/files/nextcloud/config.php
@@ -19,7 +19,7 @@ $CONFIG = array (
     0 => 'intersect.jakehoward.tech',
   ),
   'dbtype' => 'mysql',
-  'version' => '24.0.1.1',
+  'version' => '22.2.0.2',
   'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
   'dbname' => 'nextcloud',
   'dbhost' => 'mariadb',
diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
index d232b3f..9f723e9 100644
--- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
@@ -2,11 +2,11 @@ version: "2.3"
 
 services:
   nextcloud:
-    image: lscr.io/linuxserver/nextcloud:24.0.1
+    image: lscr.io/linuxserver/nextcloud:version-22.2.0
     environment:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
-      - TZ={{ timezone }}
+      - TZ={{ TZ }}
       - DOCKER_MODS=theorangeone/lsio-mod-more-processes:latest
     volumes:
       - "{{ app_data_dir }}/nextcloud/apps:/config/www/nextcloud/apps"
@@ -26,9 +26,6 @@ services:
       - traefik.http.services.nextcloud-nextcloud.loadbalancer.server.scheme=https
       - traefik.http.middlewares.nextcloud-hsts.headers.stsseconds=15552000
       - traefik.http.routers.nextcloud.middlewares=nextcloud-hsts@docker
-    networks:
-      - default
-      - traefik
 
   mariadb:
     image: mariadb:10.5
@@ -46,7 +43,3 @@ services:
     restart: unless-stopped
     volumes:
       - /mnt/tank/dbs/redis/nextcloud:/data
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/files/quassel/docker-compose.yml b/ansible/roles/pve_docker/files/quassel/docker-compose.yml
index d07501a..e518a3f 100644
--- a/ansible/roles/pve_docker/files/quassel/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/quassel/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     environment:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
-      - TZ={{ timezone }}
+      - TZ={{ TZ }}
       - DB_BACKEND=PostgreSQL
       - DB_PGSQL_USERNAME=quassel
       - DB_PGSQL_PASSWORD=quassel
@@ -20,7 +20,7 @@ services:
       - 4242:4242
 
   db:
-    image: postgres:14-alpine
+    image: postgres:12-alpine
     restart: unless-stopped
     environment:
       - POSTGRES_USER=quassel
diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml
index 723f8f1..3599162 100644
--- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml
@@ -3,7 +3,7 @@ version: "2.3"
 services:
 
   synapse:
-    image: matrixdotorg/synapse:v1.59.1
+    image: matrixdotorg/synapse:v1.44.0
     restart: unless-stopped
     environment:
       - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml
@@ -17,13 +17,10 @@ services:
       - db
     labels:
       - traefik.enable=true
-      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) || Host(`matrix.theorangeone.net`)
-    networks:
-      - default
-      - traefik
+      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
 
   db:
-    image: postgres:14-alpine
+    image: postgres:12-alpine
     restart: unless-stopped
     environment:
       - POSTGRES_USER=synapse
@@ -43,13 +40,6 @@ services:
     restart: unless-stopped
     labels:
       - traefik.enable=true
-      - traefik.http.routers.synapse-admin.rule=Host(`matrix.theorangeone.net`) && PathPrefix(`/admin`)
+      - traefik.http.routers.synapse-admin.rule=Host(`matrix.jakehoward.tech`) && PathPrefix(`/admin`)
       - traefik.http.middlewares.synapse-admin-path.stripprefix.prefixes=/admin
       - traefik.http.routers.synapse-admin.middlewares=synapse-admin-path@docker
-    networks:
-      - default
-      - traefik
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml
index 71a850f..209c7d5 100644
--- a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml
@@ -6,7 +6,7 @@ services:
     environment:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
-      - TZ={{ timezone }}
+      - TZ={{ TZ }}
       - DOCKER_MODS=theorangeone/lsio-mod-more-processes:latest
 
       - TTRSS_DB_USER=tt-rss
@@ -27,19 +27,12 @@ services:
       - db
     tmpfs:
       - /config/log
-    networks:
-      - default
-      - traefik
 
   db:
-    image: postgres:14-alpine
+    image: postgres:12-alpine
     restart: unless-stopped
     volumes:
       - /mnt/tank/dbs/postgres/tt-rss/:/var/lib/postgresql/data
     environment:
       - POSTGRES_PASSWORD=tt-rss
       - POSTGRES_USER=tt-rss
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml
index 838dfc3..a88c42e 100644
--- a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml
@@ -2,7 +2,7 @@ version: "2.3"
 
 services:
   wallabag:
-    image: wallabag/wallabag:2.5.0
+    image: wallabag/wallabag:2.4.2
     restart: unless-stopped
     environment:
       - SYMFONY__ENV__SECRET={{ wallabag_secret }}
@@ -15,16 +15,9 @@ services:
       - traefik.http.routers.wallabag.rule=Host(`wallabag.jakehoward.tech`)
     depends_on:
       - redis
-    networks:
-      - default
-      - traefik
 
   redis:
     image: redis:6-alpine
     restart: unless-stopped
     volumes:
       - /mnt/tank/dbs/redis/wallabag:/data
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/files/whoami/docker-compose.yml b/ansible/roles/pve_docker/files/whoami/docker-compose.yml
index 0c1cd24..2bf9a7b 100644
--- a/ansible/roles/pve_docker/files/whoami/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/whoami/docker-compose.yml
@@ -7,10 +7,3 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`who.0rng.one`)
-    networks:
-      - default
-      - traefik
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/pve_docker/tasks/main.yml b/ansible/roles/pve_docker/tasks/main.yml
index 4fd5c51..ad251f3 100644
--- a/ansible/roles/pve_docker/tasks/main.yml
+++ b/ansible/roles/pve_docker/tasks/main.yml
@@ -1,23 +1,23 @@
 - name: Install calibre
-  include_tasks: calibre.yml
+  include: calibre.yml
 
 - name: Install librespeed
-  include_tasks: librespeed.yml
+  include: librespeed.yml
 
 - name: Install nextcloud
-  include_tasks: nextcloud.yml
+  include: nextcloud.yml
 
 - name: Install quassel
-  include_tasks: quassel.yml
+  include: quassel.yml
 
 - name: Install synapse
-  include_tasks: synapse.yml
+  include: synapse.yml
 
 - name: Install tt-rss
-  include_tasks: tt-rss.yml
+  include: tt-rss.yml
 
 - name: Install wallabag
-  include_tasks: wallabag.yml
+  include: wallabag.yml
 
 - name: Install whoami
-  include_tasks: whoami.yml
+  include: whoami.yml
diff --git a/ansible/roles/pve_docker/tasks/nextcloud.yml b/ansible/roles/pve_docker/tasks/nextcloud.yml
index a3e7717..e3fb593 100644
--- a/ansible/roles/pve_docker/tasks/nextcloud.yml
+++ b/ansible/roles/pve_docker/tasks/nextcloud.yml
@@ -28,14 +28,6 @@
   register: config_file
   become: true
 
-- name: Install occ script
-  template:
-    src: files/nextcloud/occ
-    dest: /opt/nextcloud/occ
-    mode: "0755"
-    owner: "{{ docker_user.name }}"
-  become: true
-
 - name: restart nextcloud
   shell:
     chdir: /opt/nextcloud
diff --git a/ansible/roles/qbittorrent/tasks/main.yml b/ansible/roles/qbittorrent/tasks/main.yml
index 060f268..d7faa19 100644
--- a/ansible/roles/qbittorrent/tasks/main.yml
+++ b/ansible/roles/qbittorrent/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: qbittorrent
-  include_tasks: qbittorrent.yml
+  include: qbittorrent.yml
 
 - name: nginx
-  include_tasks: nginx.yml
+  include: nginx.yml
diff --git a/ansible/roles/qbittorrent/tasks/qbittorrent.yml b/ansible/roles/qbittorrent/tasks/qbittorrent.yml
index 3e557f7..1c6fed0 100644
--- a/ansible/roles/qbittorrent/tasks/qbittorrent.yml
+++ b/ansible/roles/qbittorrent/tasks/qbittorrent.yml
@@ -31,7 +31,9 @@
     - {section: AutoRun, option: enabled, value: "false"}
     - {section: LegalNotice, option: Accepted, value: "true"}
     - {section: Preferences, option: Connection\UPnP, value: "false"}
-    - {section: Preferences, option: Downloads\SavePath, value: /mnt/media/temp/downloads}
+    - {section: Preferences, option: Downloads\SavePath, value: /mnt/downloads/completed/}
+    - {section: Preferences, option: Downloads\TempPath, value: /mnt/downloads/}
+    - {section: Preferences, option: Downloads\TempPathEnabled, value: "true"}
     - {section: Preferences, option: WebUI\Address, value: "*"}
     - {section: Preferences, option: WebUI\ServerDomains, value: "*"}
     - {section: Preferences, option: WebUI\Port, value: "8080"}
diff --git a/ansible/roles/renovate/files/config.js b/ansible/roles/renovate/files/config.js
deleted file mode 100644
index 7d0b643..0000000
--- a/ansible/roles/renovate/files/config.js
+++ /dev/null
@@ -1,15 +0,0 @@
-module.exports = {
-  endpoint: 'https://git.theorangeone.net/api/v4/',
-  token: '{{ renovate_gitlab_token }}',
-  platform: 'gitlab',
-  //dryRun: true,
-  autodiscover: true,
-  onboarding: false,
-  redisUrl: 'redis://redis',
-  repositoryCache: 'enabled',
-  persistRepoData: true,
-  binarySource: "docker",
-  dockerUser: "{{ docker_user.id }}",
-  baseDir: "/opt/renovate/renovate",
-  cacheDir: "/opt/renovate/renovate/cache"
-};
diff --git a/ansible/roles/renovate/files/docker-compose.yml b/ansible/roles/renovate/files/docker-compose.yml
deleted file mode 100644
index 692868b..0000000
--- a/ansible/roles/renovate/files/docker-compose.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-version: "2.3"
-services:
-  renovate:
-    image: renovate/renovate:32-slim
-    command: /entrypoint.sh
-    user: "{{ docker_user.id }}"
-    environment:
-      - TZ={{ timezone }}
-      - GITHUB_COM_TOKEN={{ renovate_github_token }}
-      - DOCKER_HOST=tcp://docker_proxy:2375
-      - LOG_LEVEL=debug  # Noisy, but required for debugging
-    restart: unless-stopped
-    depends_on:
-      - redis
-      - docker_proxy
-    volumes:
-      - ./config.js:/usr/src/app/config.js:ro
-      - ./entrypoint.sh:/entrypoint.sh:ro
-      - /opt/renovate/renovate:/opt/renovate/renovate  # These must be the same
-
-  redis:
-    image: redis:6-alpine
-    restart: unless-stopped
-    volumes:
-      - ./redis:/data
-
-  docker_proxy:
-    image: tecnativa/docker-socket-proxy:latest
-    restart: unless-stopped
-    environment:
-      - POST=1
-      - CONTAINERS=1
-      - INFO=1
-      - IMAGES=1
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
diff --git a/ansible/roles/renovate/files/entrypoint.sh b/ansible/roles/renovate/files/entrypoint.sh
deleted file mode 100644
index 6b7f42e..0000000
--- a/ansible/roles/renovate/files/entrypoint.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-while true;
-do
-    renovate $@
-    echo "> Sleeping for 1 hour..."
-    sleep 1h &
-    wait $!
-done
diff --git a/ansible/roles/renovate/handlers/main.yml b/ansible/roles/renovate/handlers/main.yml
deleted file mode 100644
index 9ec2233..0000000
--- a/ansible/roles/renovate/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: restart renovate
-  shell:
-    chdir: /opt/renovate
-    cmd: "{{ docker_update_command }}"
diff --git a/ansible/roles/renovate/tasks/main.yml b/ansible/roles/renovate/tasks/main.yml
deleted file mode 100644
index 1dfff88..0000000
--- a/ansible/roles/renovate/tasks/main.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-- name: Include vault
-  include_vars: vault.yml
-
-- name: Create install directory
-  file:
-    path: /opt/renovate
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-  become: true
-
-- name: Install compose file
-  template:
-    src: files/docker-compose.yml
-    dest: /opt/renovate/docker-compose.yml
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-    validate: docker-compose -f %s config
-  notify: restart renovate
-  become: true
-
-- name: Install config file
-  template:
-    src: files/config.js
-    dest: /opt/renovate/config.js
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-  notify: restart renovate
-  become: true
-
-- name: Install custom entrypoint
-  template:
-    src: files/entrypoint.sh
-    dest: /opt/renovate/entrypoint.sh
-    mode: "0755"
-    owner: "{{ docker_user.name }}"
-  notify: restart renovate
-  become: true
diff --git a/ansible/roles/renovate/vars/main.yml b/ansible/roles/renovate/vars/main.yml
deleted file mode 100644
index 9635a1e..0000000
--- a/ansible/roles/renovate/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-renovate_gitlab_token: "{{ vault_renovate_gitlab_token }}"
-renovate_github_token: "{{ vault_renovate_github_token }}"
diff --git a/ansible/roles/renovate/vars/vault.yml b/ansible/roles/renovate/vars/vault.yml
deleted file mode 100644
index 3f0466d..0000000
--- a/ansible/roles/renovate/vars/vault.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-37666339323131376463616330376335623238363930353938383162623162633665623763626464
-3833623739633363616362643166393538386139373139310a393530323937373938346237633536
-32376237386536633134613438383730323565356164313933376232343866303764643033396237
-6133313835663637660a336162303239636137313339366330323463326339366537343164663336
-61346434383164336138626261663939333265306430316535653062393431646230636162373665
-39386436306534316632376238616332636265303534316366356139303865323631323064303665
-64636565666231643330396164383066623166393339633330363633343639346637343239313936
-37613266393438616166326138313262623837386231393666633361396364313335346238313863
-65383435626335333631326537373366636439306366373235386132393839663063333063383133
-6333613165306462376631326239613864613630363738633331
diff --git a/ansible/roles/restic/files/backrest-logrotate b/ansible/roles/restic/files/backrest-logrotate
index 8417c77..b074ee8 100644
--- a/ansible/roles/restic/files/backrest-logrotate
+++ b/ansible/roles/restic/files/backrest-logrotate
@@ -1,6 +1,6 @@
-/home/restic/log/*.log {
-  daily
-  rotate 14
+/home/restic/log/* {
+  weekly
+  rotate 12
   missingok
   compress
   nodateext
diff --git a/ansible/roles/restic/files/backrest.sh b/ansible/roles/restic/files/backrest.sh
index b369500..82e853f 100644
--- a/ansible/roles/restic/files/backrest.sh
+++ b/ansible/roles/restic/files/backrest.sh
@@ -11,7 +11,7 @@ export GOGC=20  # HACK: Work around for restic's high memory usage https://githu
 export RESTIC_LOG_DIR="$HOME/log"
 export RESTIC_LOG_FILE="$RESTIC_LOG_DIR/$1-$(date -Iseconds).log"
 
-export FORGET_OPTIONS="--keep-daily 60 --keep-monthly 6 --group-by host"
+export FORGET_OPTIONS="--keep-daily 30"
 
 mkdir -p "$RESTIC_LOG_DIR"
 
diff --git a/ansible/roles/restic/tasks/homeassistant.yml b/ansible/roles/restic/tasks/homeassistant.yml
deleted file mode 100644
index dfd2d01..0000000
--- a/ansible/roles/restic/tasks/homeassistant.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-- name: Install CIFS utils
-  package:
-    name: cifs-utils
-  become: true
-
-- name: Create dir for CIFS mount
-  file:
-    path: /mnt/home-assistant
-    state: directory
-    mode: "0755"
-  become: true
-
-- name: Create dir for each CIFS mount
-  file:
-    path: /mnt/home-assistant/{{ item }}
-    state: directory
-    mode: "0600"
-  become: true
-  loop: "{{ restic_homeassistant_mounts }}"
-
-- name: Create mounts
-  mount:
-    path: /mnt/home-assistant/{{ item }}
-    fstype: cifs
-    opts: username=homeassistant,password=homeassistant
-    src: //{{ pve_hosts.homeassistant.ip }}/{{ item }}
-    state: mounted
-  become: true
-  loop: "{{ restic_homeassistant_mounts }}"
diff --git a/ansible/roles/restic/tasks/main.yml b/ansible/roles/restic/tasks/main.yml
index d5bed99..f2df011 100644
--- a/ansible/roles/restic/tasks/main.yml
+++ b/ansible/roles/restic/tasks/main.yml
@@ -90,7 +90,3 @@
     mode: "0600"
   become: true
   when: ansible_os_family == 'Archlinux'
-
-- name: Install HomeAssistant mounts
-  include_tasks: homeassistant.yml
-  when: ansible_hostname == 'pve-restic'
diff --git a/ansible/roles/restic/vars/main.yml b/ansible/roles/restic/vars/main.yml
index 09ca845..28cc7e0 100644
--- a/ansible/roles/restic/vars/main.yml
+++ b/ansible/roles/restic/vars/main.yml
@@ -25,7 +25,3 @@ restic_key: !vault |
   66643135336539333738623231346331623464636637373639666435663961383936
 restic_b2_bucket: 0rng-restic
 healthchecks_host: https://hc-ping.com
-
-restic_homeassistant_mounts:
-  - backup
-  - config
diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml
index f357f29..fc73942 100644
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@@ -2,8 +2,8 @@ version: "2.3"
 
 services:
   traefik:
-    image: traefik:v2.6
-    user: "{{ docker_user.id }}"
+    image: traefik:v2.5
+    network_mode: host
     environment:
       - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
     volumes:
@@ -11,39 +11,3 @@ services:
       - /tmp/traefik-logs:/var/log/traefik
       - ./traefik:/etc/traefik
     restart: unless-stopped
-    ports:
-      - 80:80
-      - 443:443
-      - "{{ private_ip }}:8080:8080"
-    depends_on:
-      - docker_proxy
-      - shenanigans
-    networks:
-      - default
-      - traefik
-      - proxy_private
-
-  docker_proxy:
-    image: tecnativa/docker-socket-proxy:latest
-    restart: unless-stopped
-    environment:
-      - CONTAINERS=1
-      - INFO=1
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - proxy_private
-
-  shenanigans:
-    image: nginx:alpine
-    restart: unless-stopped
-    volumes:
-      - /opt/traefik/nginx.conf:/etc/nginx/conf.d/default.conf:ro
-    networks:
-      - proxy_private
-
-networks:
-  traefik:
-    external: true
-  proxy_private:
-    internal: true
diff --git a/ansible/roles/traefik/files/fail2ban/f2b_key.key b/ansible/roles/traefik/files/fail2ban/f2b_key.key
deleted file mode 100644
index bb4a5d4..0000000
--- a/ansible/roles/traefik/files/fail2ban/f2b_key.key
+++ /dev/null
@@ -1,25 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-62333161626439326166306363343866616336646134376134326265386134343338313164653334
-3131633561363730376161323034643836333738303361320a613764383135373933636537333331
-32633335663462653361643538656533313633666666303830363533616263663135323635613235
-3738396530363130370a323338663966353333373862353964636333343436613932303765373035
-61353363633836613830346631323565326338616331353665653333383065376565626164306266
-32346133643635626632326133333933656333346336336232613536386661366537383439646632
-35323838633266633263646563323834363066336432663665616433303632646234326266653036
-35666532383261663430303764383833396336393031316361633563336538663931333736633161
-33333230343731663038626362353163663363396134303431393061333136393664643535393662
-65333561623335656635393364666135343462646237316138393637356261303634383830636462
-63336231643030643636643431616434643765373037393832613563323132383864383365316365
-35663930373938653163363436373236313162353661646531333461643463663336383332633431
-63633938306533343561646663393165353633306131336135633762306666326465306335343665
-34323261623531646566626561643465333737323562646137366235363339663163656566383266
-39326637373739623338653633633237396362633062303033366530383334353032643434623339
-38633563396432326430386638333837343733633364336536626563363932646636343333326333
-63326566663265346537633134653636636436323738396530326332656165396635316634653133
-31373137636233323563343433383837633132636434303134313431343364313735316633343732
-62663537616663356133636337373630616134363262333332303965393463643833343561386639
-62316136363661653430336566323539643239346539353535346539646138366462346634336165
-37343737656564333365346538656661343165623037613030356233626534306533303738646363
-35396566303561366333363265373733636138336533336534393262643831613836326639623633
-62313830626264323965303933393466643433373136353232383262323963613432313139303062
-34373236363635623337
diff --git a/ansible/roles/traefik/files/fail2ban/remote-action.conf b/ansible/roles/traefik/files/fail2ban/remote-action.conf
index 58a99fc..4a8ffe0 100644
--- a/ansible/roles/traefik/files/fail2ban/remote-action.conf
+++ b/ansible/roles/traefik/files/fail2ban/remote-action.conf
@@ -1,6 +1,6 @@
 [Definition]
-actionban   = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik banip <ip>
-actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik unbanip <ip>
+actionban   = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik banip <ip>
+actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik unbanip <ip>
 actioncheck =
 actionstart =
 actionstop =
diff --git a/ansible/roles/traefik/files/file-provider-gitlab.yml b/ansible/roles/traefik/files/file-provider-gitlab.yml
index 38f36fc..130f06f 100644
--- a/ansible/roles/traefik/files/file-provider-gitlab.yml
+++ b/ansible/roles/traefik/files/file-provider-gitlab.yml
@@ -3,9 +3,6 @@ http:
     router-gitlab:
       rule: Host(`git.theorangeone.net`)
       service: service-gitlab
-    router-gitlab-registry:
-      rule: Host(`registry.git.theorangeone.net`)
-      service: service-gitlab
   services:
     service-gitlab:
       loadBalancer:
diff --git a/ansible/roles/traefik/files/file-provider-main.yml b/ansible/roles/traefik/files/file-provider-main.yml
index 9db0547..013625a 100644
--- a/ansible/roles/traefik/files/file-provider-main.yml
+++ b/ansible/roles/traefik/files/file-provider-main.yml
@@ -8,7 +8,3 @@ http:
       headers:
         customResponseHeaders:
           Permissions-Policy: interest-cohort=()
-
-    shenanigans:
-      forwardAuth:
-        address: http://shenanigans
diff --git a/ansible/roles/traefik/files/nginx.conf b/ansible/roles/traefik/files/nginx.conf
deleted file mode 100644
index 9b40f9e..0000000
--- a/ansible/roles/traefik/files/nginx.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# NOTE: Use `$http_x_forwarded_host` intead of `$host`.
-
-server {
-    listen 80 default_server;
-
-    # Get IP correctly
-    real_ip_header X-Forwarded-For;
-    set_real_ip_from 0.0.0.0/0;
-
-    # Allow everything through by default
-    location / {
-        return 200;
-    }
-}
diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml
index e0d0069..48481f4 100644
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@@ -32,22 +32,21 @@ entryPoints:
         - "{{ pve_hosts.internal_cidr }}"
         - "{{ nebula.cidr }}"
   traefik:
-    address: :8080
+    address: "{{ private_ip }}:8080"
 
 ping: {}
 
 providers:
   docker:
-    endpoint: tcp://docker_proxy:2375
+    endpoint: unix:///var/run/docker.sock
     watch: true
     exposedByDefault: false
-    network: traefik
   file:
     directory: /etc/traefik/conf
 {% if with_traefik_pages %}
   http:
     endpoint:
-      - "http://{{ traefik_pages_password }}@traefik-pages:5000/.traefik-pages/provider"
+      - "http://{{ traefik_pages_password }}@127.0.0.1:5000/.traefik-pages/provider"
 {% endif %}
 
 api:
diff --git a/ansible/roles/traefik/tasks/fail2ban.yml b/ansible/roles/traefik/tasks/fail2ban.yml
index 3a6b375..a576346 100644
--- a/ansible/roles/traefik/tasks/fail2ban.yml
+++ b/ansible/roles/traefik/tasks/fail2ban.yml
@@ -21,12 +21,3 @@
     mode: 0644
   become: true
   notify: restart fail2ban
-
-- name: Create SSH key
-  copy:
-    src: files/fail2ban/f2b_key.key
-    dest: /etc/fail2ban/f2b_key.key
-    owner: root
-    group: root
-    mode: "0600"
-  become: true
diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml
index 7770be5..5246076 100644
--- a/ansible/roles/traefik/tasks/main.yml
+++ b/ansible/roles/traefik/tasks/main.yml
@@ -1,9 +1,3 @@
-- name: Create network
-  docker_network:
-    name: traefik
-    internal: true
-  become: true
-
 - name: Create install directory
   file:
     path: /opt/traefik
@@ -17,7 +11,6 @@
     path: /opt/traefik/traefik/
     state: directory
     mode: "{{ docker_compose_directory_mask }}"
-    owner: "{{ docker_user.name }}"
   become: true
 
 - name: Create file provider directory
@@ -25,7 +18,6 @@
     path: /opt/traefik/traefik/conf
     state: directory
     mode: "{{ docker_compose_directory_mask }}"
-    owner: "{{ docker_user.name }}"
   become: true
 
 - name: Install compose file
@@ -104,20 +96,5 @@
   become: true
 
 - name: fail2ban
-  include_tasks: fail2ban.yml
+  include: fail2ban.yml
   when: with_fail2ban
-
-- name: Check for nginx config
-  stat:
-    path: /opt/traefik/nginx.conf
-  register: nginx_file
-  become: true
-
-- name: Create nginx config, if it doesn't exist already
-  template:
-    src: files/nginx.conf
-    dest: /opt/traefik/nginx.conf
-    mode: "0600"
-  when: not nginx_file.stat.exists
-  notify: restart traefik
-  become: true
diff --git a/ansible/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml
index cdfd256..12f39e3 100644
--- a/ansible/roles/traefik/vars/main.yml
+++ b/ansible/roles/traefik/vars/main.yml
@@ -14,4 +14,3 @@ letsencrypt_email: !vault |
   62633331616264623932303031663130623135623566323964656162656265633863336333373538
   3963303639373032620a363434643539393838303233653037383765363961373363333034343534
   37663462663235613062633837373334366163636362386364356635313730363566
-traefik_pages_password: "{{ vault_traefik_pages_password }}"
diff --git a/ansible/roles/upload/files/docker-compose.yml b/ansible/roles/upload/files/docker-compose.yml
index a952958..2b72265 100644
--- a/ansible/roles/upload/files/docker-compose.yml
+++ b/ansible/roles/upload/files/docker-compose.yml
@@ -12,9 +12,6 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.upload.rule=Host(`upload.theorangeone.net`)
-    networks:
-      - default
-      - traefik
 
   img:
     image: ghcr.io/realorangeone/static-server:latest
@@ -26,9 +23,6 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.img.rule=Host(`img.theorangeone.net`) || Host(`img.0rng.one`)
-    networks:
-      - default
-      - traefik
 
   bg:
     image: ghcr.io/realorangeone/static-server:latest
@@ -41,9 +35,6 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.bg.rule=Host(`bg.theorangeone.net`)
-    networks:
-      - default
-      - traefik
 
   dl:
     image: ghcr.io/realorangeone/static-server:latest
@@ -55,10 +46,3 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.dl.rule=Host(`dl.theorangeone.net`) || Host(`dl.0rng.one`)
-    networks:
-      - default
-      - traefik
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml
index 6cd9882..3509c14 100644
--- a/ansible/roles/uptime_kuma/files/docker-compose.yml
+++ b/ansible/roles/uptime_kuma/files/docker-compose.yml
@@ -2,24 +2,14 @@ version: "2.3"
 
 services:
   uptime-kuma:
-    image: louislam/uptime-kuma:1.16.1-alpine
+    image: louislam/uptime-kuma:1.9.2-alpine
     restart: unless-stopped
     environment:
       - PUID={{ docker_user.id }}
       - PGID={{ docker_user.id }}
-      - TZ={{ timezone }}
-    networks:
-      - default
-      - traefik
+      - TZ={{ TZ }}
     volumes:
       - ./data:/app/data
-    dns:
-      - 1.1.1.1
-      - 8.8.8.8
     labels:
       - traefik.enable=true
       - traefik.http.routers.uptime-kuma.rule=Host(`status.theorangeone.net`)
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml
index f7531fe..f43cc0e 100644
--- a/ansible/roles/vaultwarden/files/docker-compose.yml
+++ b/ansible/roles/vaultwarden/files/docker-compose.yml
@@ -2,7 +2,7 @@ version: "2.3"
 
 services:
   vaultwarden:
-    image: vaultwarden/server:1.24.0-alpine
+    image: vaultwarden/server:1.23.0-alpine
     restart: unless-stopped
     user: "{{ docker_user.id }}:{{ docker_user.id }}"
     volumes:
@@ -13,11 +13,11 @@ services:
     labels:
       - traefik.enable=true
 
-      - traefik.http.routers.vaultwarden-ui.rule=Host(`vaultwarden.jakehoward.tech`)
+      - traefik.http.routers.vaultwarden-ui.rule=Host(`bw.jakehoward.tech`) || Host(`vaultwarden.jakehoward.tech`)
       - traefik.http.routers.vaultwarden-ui.service=vaultwarden-ui
       - traefik.http.services.vaultwarden-ui.loadbalancer.server.port=80
 
-      - traefik.http.routers.vaultwarden-websocket.rule=Host(`vaultwarden.jakehoward.tech`) && Path(`/notifications/hub`)
+      - traefik.http.routers.vaultwarden-websocket.rule=(Host(`bw.jakehoward.tech`) || Host(`vaultwarden.jakehoward.tech`) )&& Path(`/notifications/hub`)
       - traefik.http.routers.vaultwarden-websocket.service=vaultwarden-websocket
       - traefik.http.services.vaultwarden-websocket.loadbalancer.server.port=3012
 
@@ -35,19 +35,12 @@ services:
       - INVITATIONS_ALLOWED=false
       - ROCKET_WORKERS={{ ansible_processor_nproc // 2 }}
       - WEBSOCKET_ENABLED=true
-    networks:
-      - default
-      - traefik
 
   db:
-    image: postgres:14-alpine
+    image: postgres:12-alpine
     restart: unless-stopped
     volumes:
       - /mnt/tank/dbs/postgres/vaultwarden/:/var/lib/postgresql/data
     environment:
       - POSTGRES_PASSWORD={{ vaultwarden_database_password }}
       - POSTGRES_USER=vaultwarden
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/wireguard_53/files/client.conf b/ansible/roles/wireguard_53/files/client.conf
deleted file mode 100644
index 4322c32..0000000
--- a/ansible/roles/wireguard_53/files/client.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-[Interface]
-Address = {{ client_cidr }}
-PrivateKey = {{ client_private_key }}
-
-[Peer]
-PublicKey = {{ server_public_key }}
-Endpoint = {{ server_public_ip }}:53
-AllowedIPs = 0.0.0.0/0
-
-PersistentKeepalive = 25
diff --git a/ansible/roles/wireguard_53/files/server.conf b/ansible/roles/wireguard_53/files/server.conf
deleted file mode 100644
index 2ab3e09..0000000
--- a/ansible/roles/wireguard_53/files/server.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-[Interface]
-Address = {{ server_ip }}
-PrivateKey = {{ server_private_key }}
-ListenPort = 53
-
-PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-
-[Peer]
-PublicKey = {{ client_public_key }}
-AllowedIPs = {{ client_cidr }}
diff --git a/ansible/roles/wireguard_53/handlers/main.yml b/ansible/roles/wireguard_53/handlers/main.yml
deleted file mode 100644
index 989e9bc..0000000
--- a/ansible/roles/wireguard_53/handlers/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: restart wireguard
-  service:
-    name: wg-quick@wg53
-    state: restarted
-  become: true
diff --git a/ansible/roles/wireguard_53/tasks/main.yml b/ansible/roles/wireguard_53/tasks/main.yml
deleted file mode 100644
index 1a34919..0000000
--- a/ansible/roles/wireguard_53/tasks/main.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-- name: Include vault
-  include_vars: vault.yml
-
-- name: Install wireguard tools
-  package:
-    name: "{{ item }}"
-  become: true
-  loop:
-    - wireguard-tools
-    - qrencode
-
-- name: Wireguard server config
-  template:
-    src: files/server.conf
-    dest: /etc/wireguard/wg53.conf
-    mode: "0600"
-    backup: true
-  become: true
-  notify: restart wireguard
-
-- name: Wireguard client config
-  template:
-    src: files/client.conf
-    dest: "{{ home }}/wg53.conf"
-    mode: "0600"
-  become: true
-  notify: restart wireguard
-
-- name: Enable wireguard
-  service:
-    name: wg-quick@wg53
-    enabled: true
-  become: true
diff --git a/ansible/roles/wireguard_53/vars/main.yml b/ansible/roles/wireguard_53/vars/main.yml
deleted file mode 100644
index c3a2553..0000000
--- a/ansible/roles/wireguard_53/vars/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-client_public_key: "{{ vault_client_public_key }}"
-client_private_key: "{{ vault_client_private_key }}"
-client_cidr: 10.23.4.2/24
-
-server_public_key: "{{ vault_server_public_key }}"
-server_private_key: "{{ vault_server_private_key }}"
-server_public_ip: "{{ ansible_default_ipv4.address }}"
-server_ip: 10.23.4.1
diff --git a/ansible/roles/wireguard_53/vars/vault.yml b/ansible/roles/wireguard_53/vars/vault.yml
deleted file mode 100644
index c6d44cd..0000000
--- a/ansible/roles/wireguard_53/vars/vault.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-35366163656631633636333937333238346539653236323463316333356637623263326436623130
-3333616234643935306337386165623734333265663237610a326538636532643835373137316333
-30363133343035353235616639613637353435303863393130396261623063633836383430326530
-3634313639353264310a393266313230646132656561393737363834646566313765633235343139
-36303834353039303134393061386634373735316135656564386464363863376265633239313037
-62616535313239353233376163343437303933346264323266386533336138656135663664356164
-65643262303436343164613133333361393438616234616566336131636461383538326130623264
-62313134386430636665646539306661383039323339373838346164653836326536386332616634
-34313331623166356137363131356130623863313339663938386138643538323666616239656662
-36313534323237306631663931633830346565616139313864333762356330643131343630653535
-62323939376163363436336633386433323435316535623462353138386430333332653966383262
-33636534346466326631333362343638616332633163623533613364326665376565643739666261
-34646533613133313034366636623134613336623134356562393335313337336336623634336633
-66623365353866396564386536386330353537383866616665373762306530356333643265326537
-38353138626331623433643636623130613766616638343034633536306232316133303133356463
-36616665643264396137336234316466306238303461363531653461623834376361653334326235
-31366530636565383062313562663639393534373737363465656538393266363936333136636161
-3239303565613865633433313237393932306632633633373261
diff --git a/ansible/roles/yourls/files/docker-compose.yml b/ansible/roles/yourls/files/docker-compose.yml
index be589ac..2e024bc 100644
--- a/ansible/roles/yourls/files/docker-compose.yml
+++ b/ansible/roles/yourls/files/docker-compose.yml
@@ -2,7 +2,7 @@ version: "2.3"
 
 services:
   yourls:
-    image: yourls:apache
+    image: yourls:1.7.9-apache
     restart: unless-stopped
     depends_on:
       - mariadb
@@ -18,12 +18,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.yourls.rule=Host(`0rng.one`)
-    networks:
-      - default
-      - traefik
 
   mariadb:
-    image: mariadb:10.7
+    image: mariadb:10.5
     environment:
       - MYSQL_ROOT_PASSWORD=root
       - MYSQL_DATABASE=yourls
@@ -32,7 +29,3 @@ services:
     volumes:
       - /mnt/tank/dbs/mariadb/yourls:/var/lib/mysql
     restart: unless-stopped
-
-networks:
-  traefik:
-    external: true
diff --git a/ansible/roles/yourls/files/index.html b/ansible/roles/yourls/files/index.html
index 7f1407d..8e8085b 100644
--- a/ansible/roles/yourls/files/index.html
+++ b/ansible/roles/yourls/files/index.html
@@ -1,7 +1,6 @@
 <html>
   <head>
     <meta http-equiv="refresh" content="0; url=//theorangeone.net" />
-    <meta name="robots" content="noindex">
   </head>
   <body>
     <h1>Redirecting to website...</h1>
diff --git a/ansible/roles/zfs/defaults/main.yml b/ansible/roles/zfs/defaults/main.yml
index 5a63096..d0768ed 100644
--- a/ansible/roles/zfs/defaults/main.yml
+++ b/ansible/roles/zfs/defaults/main.yml
@@ -1,6 +1,31 @@
 # Cap ARC size to 50% RAM
 zfs_arc_size: "{{ (ansible_memtotal_mb * 1024 * 1024) * 0.5 }}"
 
-sanoid_datasets: {}
+sanoid_datasets:
+  tank:
+    use_template: production
+    recursive: true
+    process_children_only: true
 
-sanoid_templates: {}
+  tank/downloads:
+    use_template: replaceable
+    recursive: true
+
+sanoid_templates:
+  production:
+    frequently: 0
+    hourly: 24
+    daily: 14
+    monthly: 2
+    yearly: 0
+    autosnap: true
+    autoprune: true
+
+  replaceable:
+    frequently: 0
+    hourly: 6
+    daily: 2
+    monthly: 0
+    yearly: 0
+    autosnap: true
+    autoprune: true
diff --git a/ansible/roles/zfs/tasks/main.yml b/ansible/roles/zfs/tasks/main.yml
index dfde141..abe0638 100644
--- a/ansible/roles/zfs/tasks/main.yml
+++ b/ansible/roles/zfs/tasks/main.yml
@@ -22,4 +22,4 @@
   become: true
 
 - name: Sanoid
-  include_tasks: sanoid.yml
+  include: sanoid.yml
diff --git a/ansible/vault-pass.sh b/ansible/vault-pass.sh
deleted file mode 100755
index 8cbf3c9..0000000
--- a/ansible/vault-pass.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-bw get password infrastructure
diff --git a/ansible/yamllint.yml b/ansible/yamllint.yml
deleted file mode 120000
index ed6c4a0..0000000
--- a/ansible/yamllint.yml
+++ /dev/null
@@ -1 +0,0 @@
-../yamllint.yml
\ No newline at end of file
diff --git a/ansible/yamllint.yml b/ansible/yamllint.yml
new file mode 100644
index 0000000..2dd2400
--- /dev/null
+++ b/ansible/yamllint.yml
@@ -0,0 +1,17 @@
+extends: default
+
+ignore: |
+  ansible/galaxy_roles
+  ansible/galaxy_collections
+  ansible/group_vars/all/hosts.yml
+  ansible/roles/traefik/files/traefik.yml
+  ansible/roles/nebula/files/nebula.yml
+
+rules:
+  document-start: disable
+  truthy: disable
+  quoted-strings:
+    quote-type: double
+    required: only-when-needed
+  line-length:
+    max: 160
diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index 432cb31..0000000
--- a/renovate.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ],
-  "prHourlyLimit": 0,
-  "prConcurrentLimit": 0
-}
diff --git a/scripts/ansible/deploy.sh b/scripts/ansible/deploy.sh
index 9c7f847..fed0067 100755
--- a/scripts/ansible/deploy.sh
+++ b/scripts/ansible/deploy.sh
@@ -4,4 +4,4 @@ set -ex
 
 cd ansible/
 
-time ansible-playbook main.yml -K $@
+time ansible-playbook main.yml -K --vault-password-file .vault_pass $@
diff --git a/scripts/ansible/lint.sh b/scripts/ansible/lint.sh
index 8f9bc5a..ebfe14e 100755
--- a/scripts/ansible/lint.sh
+++ b/scripts/ansible/lint.sh
@@ -4,10 +4,10 @@ set -e
 
 PATH=${PWD}/env/bin:${PATH}
 
-yamllint -sc ansible/yamllint.yml ansible
+set -x
 
-cd ansible/
+yamllint -sc ansible/yamllint.yml ansible/
 
-ansible-lint -p
+ansible-lint ansible/main.yml -p -c ansible/.ansible-lint
 
-ansible-playbook main.yml --syntax-check
+cd ansible/ && ansible-playbook main.yml --syntax-check
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
deleted file mode 100644
index 5b07f89..0000000
--- a/terraform/.terraform.lock.hcl
+++ /dev/null
@@ -1,98 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/cloudflare/cloudflare" {
-  version     = "2.11.0"
-  constraints = "2.11.0"
-  hashes = [
-    "h1:C+Yi2SSXY0j07UPRqg40xpyX2G8q1+kevz8dPwqveTc=",
-    "zh:0ae743775b7eb32a72bae690e9153291370f6e45cfab978112289605d89d6b8f",
-    "zh:3183078306ddbe7248cad81322d0ebf5eddae3a2792929651a48d60ebb5ae61d",
-    "zh:5d211cacf6baa238468dad7c39d7775bd055cc944bb2b4fbdaa5f60c80735137",
-    "zh:6ade3a98133832852b0a8357322632b316a00c311b3111293a3b8f2c1a8bad21",
-    "zh:71828e5015c095547c0f2e9053536486110d1a53939aa3c81f0e680b269ed8a2",
-    "zh:a32dc93fbce15af678196201507074d71a7a4b90c44710a39ca0c721a5068c7b",
-    "zh:a643d84e9b7792482e797e96ee783678f9c6fda534b0f718c482853611aecb4d",
-    "zh:d6e52640721b777606cf292ba2f823af07dfc14d11f24799d4c3a4f05af06220",
-    "zh:deff9d1e2b859481ba3c1b09c856de3ae705783adb967d26519c92f9f34f8be5",
-    "zh:e7d8a9ccae6da76a54ab37a408a37fb79de4cc90a36838bd69ade24e9eaa1172",
-    "zh:ec23e7b1f0d3e267da7a340326520347b1a62ea6cbc4722dea1fd50762895708",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "3.8.0"
-  constraints = "3.8.0"
-  hashes = [
-    "h1:BVmiigtBDykRR58vG3TxvnWHls1ODJw+LsU5rJNIs5E=",
-    "zh:1ebc1f75d085e2d710e72458706e8c89e64f2f74eb41a77533f866692cf8266b",
-    "zh:421b6b1108dfc11ed1a42e39bf07bc459142a1bff051103bac3e8a564c8363f2",
-    "zh:573c3096eaef0b2045b253c7ccf090f2b4eb740cf81eab359565c6827cbab8ff",
-    "zh:579f920de241446e3cc2d788a991d628144a4664c3b1bb2267a03d9b0d3ddc4e",
-    "zh:93cd69c7a0957e86d31ee9aefc7bbdfb0326b87eba7b6cde5e3839c8cf882313",
-    "zh:b24e23875aa4581a9020519f3ca654cb66bf0b395121fffeb4b11c393cee6b56",
-    "zh:bfed6644cac0885e3dbf6e1485a32ad386ba7b581b7730edd71111f73f79c923",
-    "zh:c523c7db06c404c21ccd3b62a8d11d2118e0e0258a745c38a9989958bf818c33",
-    "zh:d931d23ad961616f1ad437b48cb4ad147b3b68fedf8d1b541ab6c5e49eacb32c",
-    "zh:e05ac4243af39a9731b64d35fcc4fbf070525692089e1f104df43c93a6e1d151",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/local" {
-  version = "2.1.0"
-  hashes = [
-    "h1:EYZdckuGU3n6APs97nS2LxZm3dDtGqyM4qaIvsmac8o=",
-    "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2",
-    "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab",
-    "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3",
-    "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a",
-    "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe",
-    "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1",
-    "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c",
-    "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4",
-    "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b",
-    "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3",
-    "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91",
-  ]
-}
-
-provider "registry.terraform.io/linode/linode" {
-  version     = "1.25.1"
-  constraints = "1.25.1"
-  hashes = [
-    "h1:kNBJat6vK3+lVWMUdv2HUcmU2j5UWrnojxkl0zfP+4Q=",
-    "zh:011d31d5ba135db140a9e4d34b6a358b05f26e9649fa3ac252ba5753be87dbc7",
-    "zh:0c61b38aa196c7bbc12285893c9a8a5e995e56fd6a013329774c670b62b38897",
-    "zh:1227a34a2002145aa4817999a08cdba3f0f412d51d24f4848aa0a9b08a58f186",
-    "zh:4f6c119d150576ee737aa532062378e577a0754b85c32eec988ee094af798a07",
-    "zh:62751d4e56c38cd4952a69746a2c941a28d6b76fa12173fb7d135ba999d3b7ae",
-    "zh:743c1f54c40c2a129df35c0deb0a4af899472ff85fb79a58a282b2107072954c",
-    "zh:78a7c6d4a75eae1e6753bf74341245739f65d90ff4c78bdeab49a579db678a52",
-    "zh:835b587b57caa1e695bdc932e0036efafd3a069bfae3151e1d574c854eaef24c",
-    "zh:93a797797f7c566af735802a4da17a0adbf4b5303cb2fcd62173289a2211b059",
-    "zh:942bb3aef76f55067379d991a64f9641f44f5d40ed8d31f8857683bb75ee3f47",
-    "zh:9bd2bc6fa211153cff5487ac3a8afad24f742cd946985eade67dc413c0a47d84",
-    "zh:a4f9dfef3a29e861282b6ef8917819f351da8fb00b390cb75549718b6c8b9dc4",
-    "zh:af185b9471439c37dc0580871eb230a36f4cfc0dbb75c3ec911242a56b92efda",
-    "zh:eb7dfa4e9041a947ff776b9fd0da06790bd5ea23c26e4c5332f88f9ff3b24cff",
-  ]
-}
-
-provider "registry.terraform.io/vultr/vultr" {
-  version     = "2.1.4"
-  constraints = "2.1.4"
-  hashes = [
-    "h1:xlp22yaH/Z/ub7vAZTDyPnViL8QfJBQnZR/e6UWZqXk=",
-    "zh:087b47412fbc46d750df122c3e2e8e4ecf4921af3e17957f1f4eac7e4ac9b470",
-    "zh:1edde9112f2c7026cac0be274ae1c65c9b40848ee4be36040202d4eda7d9e368",
-    "zh:39e3e81b135d5692d6729795bd73a4c0fc2e846c69a4a7c134b89680b5295f58",
-    "zh:3e739d1eb8e22fe32d5c9fe0ddc27f8a2697df3baccc25e8493a6baecb6a3ab8",
-    "zh:710afe1c0a7fb555bb684de4aaaacd4a427512ccab7addfed9def26ca96f6721",
-    "zh:7c1d7f4cc5d30521a352d28526dbca4bc8494818ccea44314376232625ddce85",
-    "zh:87ec18cc87d7ba8563e96c0fbf6120e286b34d77392e384289d7332a57b0be40",
-    "zh:a38b698278359ac4b3c63318906b06a49d7bed43c614a2394918404812dd375d",
-    "zh:ab92d9eb1b2042cb853f05ccc884a9b6fe0ed972d328a65d0f80ae45f981524a",
-    "zh:aeafd160fd2cade4c3e7d5f32daf005269cf0e345cf329a8793875a871406fb8",
-    "zh:e76920737b3e0af032f28bf210d2285e26887c4c090d44b1f89f1d5e8cd89e0c",
-  ]
-}
diff --git a/terraform/0rng.one.tf b/terraform/0rng.one.tf
index 4534b96..95fb3dd 100644
--- a/terraform/0rng.one.tf
+++ b/terraform/0rng.one.tf
@@ -29,7 +29,7 @@ resource "cloudflare_record" "orngone_img" {
 resource "cloudflare_record" "orngone_yourls" {
   zone_id = cloudflare_zone.orngone.id
   name    = "@"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf
index 47082b4..60ab3de 100644
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@@ -1,81 +1,20 @@
-resource "linode_instance" "casey" {
-  label      = "casey"
-  image      = "linode/arch"
-  region     = "eu-west"
-  type       = "g6-nanode-1"
-  private_ip = true
+module "casey_firewall" {
+  source = "./vultr_firewall/"
+
+  description = "casey"
+  ports = [
+    "80/tcp",
+    "443/tcp",
+    "51820/udp",
+    "8448/tcp",
+    "6328/udp"
+  ]
 }
 
-resource "linode_firewall" "casey" {
-  label           = "casey"
-  linodes         = [linode_instance.casey.id]
-  outbound_policy = "ACCEPT"
-  inbound_policy  = "DROP"
 
-  inbound {
-    label    = "allow-ping"
-    action   = "ACCEPT"
-    protocol = "ICMP"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-https"
-    action   = "ACCEPT"
-    protocol = "TCP"
-    ports    = "443"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-http"
-    action   = "ACCEPT"
-    protocol = "TCP"
-    ports    = "80"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-wireguard"
-    action   = "ACCEPT"
-    protocol = "UDP"
-    ports    = "51820"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-wireguard-53"
-    action   = "ACCEPT"
-    protocol = "UDP"
-    ports    = "53"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-nebula"
-    action   = "ACCEPT"
-    protocol = "UDP"
-    ports    = "6328"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-matrix"
-    action   = "ACCEPT"
-    protocol = "TCP"
-    ports    = "8448"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-}
-
-resource "linode_rdns" "casey_reverse_ipv4" {
-  address = linode_instance.casey.ip_address
-  rdns    = "casey.sys.theorangeone.net"
+resource "vultr_instance" "casey" {
+  plan              = "" # On a plan unsupported by API
+  region            = "lhr"
+  hostname          = "casey"
+  firewall_group_id = module.casey_firewall.firewall_group.id
 }
diff --git a/terraform/context.tf b/terraform/context.tf
index a24c446..6253795 100644
--- a/terraform/context.tf
+++ b/terraform/context.tf
@@ -1,10 +1,10 @@
 resource "local_file" "hosts" {
   content = yamlencode({
     hosts : {
-      casey_ip : linode_instance.casey.ip_address,
+      casey_ip : vultr_instance.casey.main_ip,
       walker_ip : vultr_instance.walker.main_ip,
       grimes_ip : vultr_instance.grimes.main_ip,
-      decker_ip : linode_instance.decker.ip_address,
+      decker_ip : vultr_instance.decker.main_ip,
     }
   })
   filename = "${path.module}/../ansible/group_vars/all/hosts.yml"
diff --git a/terraform/decker_vps.tf b/terraform/decker_vps.tf
index 44a6ed3..56bf9c5 100644
--- a/terraform/decker_vps.tf
+++ b/terraform/decker_vps.tf
@@ -1,45 +1,17 @@
-resource "linode_instance" "decker" {
-  label      = "decker"
-  image      = "linode/arch"
-  region     = "eu-central"
-  type       = "g6-nanode-1"
-  private_ip = true
+module "decker_firewall" {
+  source = "./vultr_firewall/"
+
+  description = "decker"
+  ports = [
+    "80/tcp",
+    "443/tcp",
+  ]
 }
 
-resource "linode_firewall" "decker" {
-  label           = "decker"
-  linodes         = [linode_instance.decker.id]
-  outbound_policy = "ACCEPT"
-  inbound_policy  = "DROP"
 
-  inbound {
-    label    = "allow-ping"
-    action   = "ACCEPT"
-    protocol = "ICMP"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-https"
-    action   = "ACCEPT"
-    protocol = "TCP"
-    ports    = "443"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-
-  inbound {
-    label    = "allow-inbound-http"
-    action   = "ACCEPT"
-    protocol = "TCP"
-    ports    = "80"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
-}
-
-resource "linode_rdns" "decker_reverse_ipv4" {
-  address = linode_instance.decker.ip_address
-  rdns    = "decker.sys.theorangeone.net"
+resource "vultr_instance" "decker" {
+  plan              = "vc2-1c-1gb"
+  region            = "cdg"
+  hostname          = "decker"
+  firewall_group_id = module.decker_firewall.firewall_group.id
 }
diff --git a/terraform/grimes_vps.tf b/terraform/grimes_vps.tf
index 73b8a17..42ab870 100644
--- a/terraform/grimes_vps.tf
+++ b/terraform/grimes_vps.tf
@@ -5,19 +5,13 @@ module "grimes_firewall" {
   ports = [
     "80/tcp",
     "443/tcp",
-    "7743/tcp",
   ]
 }
 
+
 resource "vultr_instance" "grimes" {
   plan              = "vhf-1c-1gb"
   region            = "lhr"
   hostname          = "grimes"
   firewall_group_id = module.grimes_firewall.firewall_group.id
 }
-
-resource "vultr_reverse_ipv4" "grimes_reverse_ipv4" {
-  instance_id = vultr_instance.grimes.id
-  ip          = vultr_instance.grimes.main_ip
-  reverse     = "grimes.sys.theorangeone.net"
-}
diff --git a/terraform/jakehoward.tech.tf b/terraform/jakehoward.tech.tf
index 6f238fa..a72a7f9 100644
--- a/terraform/jakehoward.tech.tf
+++ b/terraform/jakehoward.tech.tf
@@ -23,7 +23,7 @@ resource "cloudflare_record" "jakehowardtech_mx2" {
 resource "cloudflare_record" "jakehowardtech_txt" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "@"
-  value   = "v=spf1 include:spf.messagingengine.com ~all"
+  value   = "v=spf1 include:spf.messagingengine.com ?all"
   type    = "TXT"
   ttl     = 1
 }
@@ -55,7 +55,7 @@ resource "cloudflare_record" "jakehowardtech_dkim_fm3" {
 resource "cloudflare_record" "jakehowardtech_wallabag" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "wallabag"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -63,7 +63,7 @@ resource "cloudflare_record" "jakehowardtech_wallabag" {
 resource "cloudflare_record" "jakehowardtech_ttrss" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "tt-rss"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -71,7 +71,7 @@ resource "cloudflare_record" "jakehowardtech_ttrss" {
 resource "cloudflare_record" "jakehowardtech_speed" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "speed"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -79,7 +79,7 @@ resource "cloudflare_record" "jakehowardtech_speed" {
 resource "cloudflare_record" "jakehowardtech_quassel" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "quassel"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -87,7 +87,7 @@ resource "cloudflare_record" "jakehowardtech_quassel" {
 resource "cloudflare_record" "jakehowardtech_media" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "media"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -95,7 +95,7 @@ resource "cloudflare_record" "jakehowardtech_media" {
 resource "cloudflare_record" "jakehowardtech_matrix" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "matrix"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -103,7 +103,7 @@ resource "cloudflare_record" "jakehowardtech_matrix" {
 resource "cloudflare_record" "jakehowardtech_intersect" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "intersect"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -111,7 +111,7 @@ resource "cloudflare_record" "jakehowardtech_intersect" {
 resource "cloudflare_record" "jakehowardtech_calibre" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "calibre"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -119,7 +119,7 @@ resource "cloudflare_record" "jakehowardtech_calibre" {
 resource "cloudflare_record" "jakehowardtech_homeassistant" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "homeassistant"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -127,7 +127,15 @@ resource "cloudflare_record" "jakehowardtech_homeassistant" {
 resource "cloudflare_record" "jakehowardtech_grafana" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "grafana"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
+  type    = "A"
+  ttl     = 1
+}
+
+resource "cloudflare_record" "jakehowardtech_bw" {
+  zone_id = cloudflare_zone.jakehowardtech.id
+  name    = "bw"
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -135,7 +143,7 @@ resource "cloudflare_record" "jakehowardtech_grafana" {
 resource "cloudflare_record" "jakehowardtech_vaultwarden" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "vaultwarden"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
diff --git a/terraform/providers.tf b/terraform/providers.tf
index e833ed3..523fdef 100644
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@@ -12,7 +12,3 @@ provider "cloudflare" {
 provider "aws" {
   region = "eu-west-2"
 }
-
-provider "linode" {
-  token = var.linode_personal_access_token
-}
diff --git a/terraform/sys_domains.tf b/terraform/sys_domains.tf
deleted file mode 100644
index a251fe6..0000000
--- a/terraform/sys_domains.tf
+++ /dev/null
@@ -1,31 +0,0 @@
-resource "cloudflare_record" "sys_domain_casey" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "casey.sys"
-  value   = linode_instance.casey.ip_address
-  type    = "A"
-  ttl     = 1
-}
-
-resource "cloudflare_record" "sys_domain_walker" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "walker.sys"
-  value   = vultr_instance.walker.main_ip
-  type    = "A"
-  ttl     = 1
-}
-
-resource "cloudflare_record" "sys_domain_grimes" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "grimes.sys"
-  value   = vultr_instance.grimes.main_ip
-  type    = "A"
-  ttl     = 1
-}
-
-resource "cloudflare_record" "sys_domain_decker" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "decker.sys"
-  value   = linode_instance.decker.ip_address
-  type    = "A"
-  ttl     = 1
-}
diff --git a/terraform/terraform.tf b/terraform/terraform.tf
index 8593525..ada7aba 100644
--- a/terraform/terraform.tf
+++ b/terraform/terraform.tf
@@ -12,9 +12,5 @@ terraform {
       source  = "hashicorp/aws"
       version = "3.8.0"
     }
-    linode = {
-      source  = "linode/linode"
-      version = "1.25.1"
-    }
   }
 }
diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf
index 6cfdaba..077d806 100644
--- a/terraform/theorangeone.net.tf
+++ b/terraform/theorangeone.net.tf
@@ -5,23 +5,15 @@ resource "cloudflare_zone" "theorangeonenet" {
 resource "cloudflare_record" "theorangeonenet_git" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "git"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
 
-resource "cloudflare_record" "theorangeonenet_git_registry" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "registry.git"
-  value   = cloudflare_record.theorangeonenet_git.hostname
-  type    = "CNAME"
-  ttl     = 1
-}
-
 resource "cloudflare_record" "theorangeonenet_whoami" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "whoami"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -44,10 +36,10 @@ resource "cloudflare_record" "theorangeonenet_mx2" {
   ttl      = 1
 }
 
-resource "cloudflare_record" "theorangeonenet_spf" {
+resource "cloudflare_record" "theorangeonenet_txt" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "@"
-  value   = "v=spf1 include:spf.messagingengine.com ~all"
+  value   = "v=spf1 include:spf.messagingengine.com ?all"
   type    = "TXT"
   ttl     = 1
 }
@@ -109,14 +101,6 @@ resource "cloudflare_record" "theorangeonenet_img" {
   ttl     = 1
 }
 
-resource "cloudflare_record" "theorangeonenet_matrix" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "matrix"
-  value   = linode_instance.casey.ip_address
-  type    = "A"
-  ttl     = 1
-}
-
 resource "cloudflare_record" "theorangeonenet_dl" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "dl"
@@ -176,7 +160,7 @@ resource "cloudflare_record" "theorangeonenet_notes" {
 resource "cloudflare_record" "theorangeonenet_privatebin" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "bin"
-  value   = linode_instance.casey.ip_address
+  value   = vultr_instance.casey.main_ip
   type    = "A"
   ttl     = 1
 }
@@ -200,15 +184,7 @@ resource "cloudflare_record" "theorangeonenet_dokku_wildcard" {
 resource "cloudflare_record" "theorangeonenet_status" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "status"
-  value   = linode_instance.decker.ip_address
+  value   = vultr_instance.decker.main_ip
   type    = "A"
   ttl     = 1
 }
-
-resource "cloudflare_record" "theorangeonenet_google_site_verification" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "@"
-  value   = "google-site-verification=IXY4iSBN_vOcM3cp_f-BgVvEI_shz1GzXuY_8dqY61o"
-  type    = "TXT"
-  ttl     = 1
-}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 17d94d2..4cc277f 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,4 +1,3 @@
 variable "vultr_api_key" {}
 variable "cloudflare_api_key" {}
 variable "cloudflare_email" {}
-variable "linode_personal_access_token" {}
diff --git a/terraform/walker_vps.tf b/terraform/walker_vps.tf
index 9736b20..a639a2d 100644
--- a/terraform/walker_vps.tf
+++ b/terraform/walker_vps.tf
@@ -8,15 +8,10 @@ module "walker_firewall" {
   ]
 }
 
+
 resource "vultr_instance" "walker" {
   plan              = "vhf-1c-1gb"
   region            = "lhr"
   hostname          = "walker"
   firewall_group_id = module.walker_firewall.firewall_group.id
 }
-
-resource "vultr_reverse_ipv4" "walker_reverse_ipv4" {
-  instance_id = vultr_instance.walker.id
-  ip          = vultr_instance.walker.main_ip
-  reverse     = "walker.sys.theorangeone.net"
-}
diff --git a/yamllint.yml b/yamllint.yml
deleted file mode 100644
index 2dd2400..0000000
--- a/yamllint.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-extends: default
-
-ignore: |
-  ansible/galaxy_roles
-  ansible/galaxy_collections
-  ansible/group_vars/all/hosts.yml
-  ansible/roles/traefik/files/traefik.yml
-  ansible/roles/nebula/files/nebula.yml
-
-rules:
-  document-start: disable
-  truthy: disable
-  quoted-strings:
-    quote-type: double
-    required: only-when-needed
-  line-length:
-    max: 160